MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebc80b40162ee240325f427a3f494e6299432b1684d414043249c6e30f7c7c82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebc80b40162ee240325f427a3f494e6299432b1684d414043249c6e30f7c7c82
SHA3-384 hash: 4158b110ea6a2e4c63a507430f859d3e06b2ba73e3fd78b44c2a20ed42b6cb5776def3ffcb8ec9b732239acdf8093d69
SHA1 hash: afffb2181b90ea059f16f62d78130fda472fe771
MD5 hash: ac0abe861d4482ac4a0ab8d7fde8677d
humanhash: west-avocado-oregon-stairway
File name:ac0abe861d4482ac4a0ab8d7fde8677d.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:514'560 bytes
First seen:2022-05-15 07:02:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:qPcb9EExKhrFoVcx+0AEddgDDgpVtZI5lZP26axHU++4bVqnpCLE:f9Ol+V5wqgpHZI5lB14bVACo
Threatray 156 similar samples on MalwareBazaar
TLSH T1ADB4A02A61D99231DD7466FC273397F48BAE1C06141CD6190B8279F91ABDBC07E40FBA
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d2de8f9c9e9ad818 (6 x AsyncRAT, 2 x QuasarRAT, 1 x OrcusRAT)
Reporter abuse_ch
Tags:exe OrcusRAT


Avatar
abuse_ch
OrcusRAT C2:
80.80.130.104:350

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.80.130.104:350 https://threatfox.abuse.ch/ioc/569925/

Intelligence

File Origin
# of uploads :
1
# of downloads :
486
Origin country :
n/a
Vendor Threat Intelligence
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270762/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Searching for synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Enabling the 'hidden' option for recently created files
Creating a file
Launching a process
Creating a window
Searching for the window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated orcus packed replace.exe
Link:
https://www.filescan.io/uploads/6280a586cc43366302ca6910/reports/f259c42c-ff1d-428b-835e-2e4a8fc9a084/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/923c529b-978c-4104-bb38-d159af3bfa49
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994288
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to disable the Task Manager (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626781 Sample: eW323bJMHc.exe Startdate: 15/05/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 15 other signatures 2->59 7 eW323bJMHc.exe 1 3 2->7         started        10 hey.exe 2 2->10         started        13 OpenWith.exe 2->13         started        process3 dnsIp4 31 C:\Users\user\AppData\Roaming\hey.exe, PE32 7->31 dropped 15 hey.exe 15 4 7->15         started        20 WerFault.exe 23 9 7->20         started        35 laurentprotector.com 10->35 37 172.67.155.151, 49741, 80 CLOUDFLARENETUS United States 10->37 39 192.168.2.1 unknown unknown 10->39 22 WerFault.exe 10->22         started        file5 process6 dnsIp7 41 laurentprotector.com 104.21.80.239, 443, 49725, 49727 CLOUDFLARENETUS United States 15->41 43 cdn.discordapp.com 162.159.133.233, 443, 49732 CLOUDFLARENETUS United States 15->43 27 C:\ProgramData\1fcb0fe505abd8a1.dll, PE32 15->27 dropped 45 Antivirus detection for dropped file 15->45 47 Multi AV Scanner detection for dropped file 15->47 49 Machine Learning detection for dropped file 15->49 51 2 other signatures 15->51 24 aspnet_regbrowsers.exe 2 15->24         started        29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->29 dropped file8 signatures9 process10 dnsIp11 33 iknowyoumissme.ddnsfree.com 80.80.130.104, 350, 49745, 49752 ANGELSOFTBulgariaBG Bulgaria 24->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebc80b40162ee240325f427a3f494e6299432b1684d414043249c6e30f7c7c82/
Threat name:
ByteCode-MSIL.Trojan.Orcus
Create hunting rule
Status:
Malicious
First seen:
2022-05-08 20:58:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5peawqawf3reams7ij5d6skomkmugkywqtkbibbsjhdogd34psba._file
Verdict:
malicious
Similar samples:
0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f
OrcusRAT
163f0f159705867530e310ee48ffb66a057fba8a236ca2473c3de1d2f9ea48c9
OrcusRAT
6b2bc89a82c41241a24f0a8c7972b563e30303bf7c277d767ac5766510e8f03e
OrcusRAT
785771e54cd9bb3c949f9967c391d5bef6c09c3a25edabc396c188741ddd570c
OrcusRAT
e1742f5a6a586cf57684ffe645b673e674948f9b9f0beb118f9d399722d1147a
OrcusRAT
e877ee10428a6a81a83caaa9222466efbc4635a719613d63f813d8dc49baef8f
OrcusRAT
+ 146 additional samples on MalwareBazaar
Result
Malware family:
orcus
Create hunting rule
Score:
  10/10
Tags:
family:orcus rat spyware stealer
Link:
https://tria.ge/reports/220515-hvb9dagbgn/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Orcurs Rat Executable
Orcus
Malware Config
C2 Extraction:
iknowyoumissme.ddnsfree.com:350
Unpacked files
SH256 hash:
d8d19b0bb5b179e7996f2e17b81208ecc865dd1d4731d8affe3092959c31e1d0
MD5 hash:
6f2adb034585a767a76c9af8dc29213b
SHA1 hash:
cc699c6e6b861788ad928cca8e5559e8630e83aa
Link:
https://www.unpac.me/results/e329f7d9-7df9-4025-af02-1c31cc2a1e58/
SH256 hash:
ebc80b40162ee240325f427a3f494e6299432b1684d414043249c6e30f7c7c82
MD5 hash:
ac0abe861d4482ac4a0ab8d7fde8677d
SHA1 hash:
afffb2181b90ea059f16f62d78130fda472fe771
Link:
https://www.unpac.me/results/e329f7d9-7df9-4025-af02-1c31cc2a1e58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/ebc80b40162ee240325f427a3f494e6299432b1684d414043249c6e30f7c7c82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MAL_BackNet_Nov18_1
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_BackNet_Nov18_1_RID2D6D
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270762/

Comments