MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
SHA3-384 hash: 22025c13c7e2171b88f3e9b5463b015ca33069a375eb4131a093a10710d2d909a4a43ff30ae95b3657dfea4c2cacf2a2
SHA1 hash: a336bd9298b0772f4d5764f695335fc7ef99755b
MD5 hash: a71f91351dc1bb57f0426080f2c03854
humanhash: magnesium-beer-tennis-triple
File name:a71f91351dc1bb57f0426080f2c03854.exe
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:8'822'272 bytes
First seen:2021-07-17 07:51:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:UCpuWzk89PQezhQupzgb+sX1ZvbeAyJZgh4Z0FGRABTgtse6vzovk1bcWb5/XHcr:XXkqVhQWUCsXDjDyfGZkJMbfR0X
Threatray 166 similar samples on MalwareBazaar
TLSH T1209612883658B98FC4BFD972DAB41CA8A770786A4707E307541711ED6D4F683EF242E2
Reporter abuse_ch
Tags:exe OrcusRAT


Avatar
abuse_ch
OrcusRAT C2:
67.242.2.35:10134

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
67.242.2.35:10134 https://threatfox.abuse.ch/ioc/160867/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'040
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a71f91351dc1bb57f0426080f2c03854.exe
Verdict:
No threats detected
Analysis date:
2021-07-17 07:53:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f995c4d5-5274-482a-a0ef-3ee692c7e813

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OrcusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172318/
Detection(s):
Win.Packed.Passwordstealera-9752380-0
Create hunting rule

Win.Packed.Passwordstealera-9803747-0
Create hunting rule

Win.Packed.Generic-9805849-0
Create hunting rule

Win.Malware.Wacatac-9835217-0
Create hunting rule

Win.Packed.AsyncRAT-9856570-1
Create hunting rule

Win.Packed.AsyncRAT-9861056-1
Create hunting rule

PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd364a7e-aabd-4ca0-afb1-e2bccecf0a97
Result
Threat name:
AsyncRAT Orcus Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817790
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Capture Wi-Fi password
Sigma detected: Koadic Execution
Sigma detected: Powershell Defender Exclusion
Sigma detected: Regsvr32 Anomaly
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Orcus RAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450201 Sample: TIJYYlYJpv.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 106 67.242.2.35, 10134, 3333, 49745 TWC-11351-NORTHEASTUS United States 2->106 108 127.0.0.1 unknown unknown 2->108 110 pastebin.com 2->110 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 158 Antivirus / Scanner detection for submitted sample 2->158 162 17 other signatures 2->162 10 TIJYYlYJpv.exe 18 2->10         started        13 trayfontdefender.exe 2->13         started        16 svchost.exe 1 2->16         started        18 3 other processes 2->18 signatures3 160 Detected Stratum mining protocol 106->160 process4 file5 98 C:\Users\user\AppData\Local\...\python.exe, PE32+ 10->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\ec.exe, PE32+ 10->100 dropped 102 C:\Users\user\AppData\Local\Temp\...\Vu.exe, PE32 10->102 dropped 104 5 other malicious files 10->104 dropped 20 ex.exe 5 10->20         started        24 Vu.exe 10->24         started        27 ec.exe 5 10->27         started        29 4 other processes 10->29 194 Detected unpacking (changes PE section rights) 13->194 signatures6 process7 dnsIp8 86 C:\Windows\System32\defendernottray.exe, PE32+ 20->86 dropped 166 Multi AV Scanner detection for dropped file 20->166 168 Detected unpacking (changes PE section rights) 20->168 170 Machine Learning detection for dropped file 20->170 31 defendernottray.exe 20->31         started        36 cmd.exe 20->36         started        38 cmd.exe 20->38         started        112 218.147.1.0.in-addr.arpa 24->112 114 23.163.0.123, 49717, 49736, 5050 ASN-QUADRANET-GLOBALUS United States 24->114 172 Detected unpacking (overwrites its own PE header) 24->172 174 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->174 176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->176 188 5 other signatures 24->188 40 cmd.exe 24->40         started        42 cmd.exe 24->42         started        88 C:\Windows\System32\trayfontdefender.exe, PE32+ 27->88 dropped 178 Drops executables to the windows directory (C:\Windows) and starts them 27->178 180 Adds a directory exclusion to Windows Defender 27->180 44 trayfontdefender.exe 27->44         started        48 2 other processes 27->48 116 ip-api.com 208.95.112.1, 49721, 80 TUT-ASUS United States 29->116 118 ip4.seeip.org 23.128.64.141, 443, 49720 JOESDATACENTERUS United States 29->118 120 2 other IPs or domains 29->120 90 C:\Windows\lsddsds\lsdds.exe, PE32 29->90 dropped 92 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 29->92 dropped 94 C:\Users\user\AppData\...\kksm6cdk.cmdline, UTF-8 29->94 dropped 96 20 other files (none is malicious) 29->96 dropped 182 Antivirus detection for dropped file 29->182 184 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 29->184 186 Protects its processes via BreakOnTermination flag 29->186 190 2 other signatures 29->190 46 python.exe 29->46         started        50 5 other processes 29->50 file9 signatures10 process11 dnsIp12 122 github.com 140.82.121.4, 443, 49738 GITHUBUS United States 31->122 124 raw.githubusercontent.com 185.199.109.133, 443, 49739 FASTLYUS Netherlands 31->124 126 sanctam.net 185.65.135.248, 49737, 49740, 58899 ESAB-ASSE Sweden 31->126 78 C:\Windows\System32\...\sihost64.exe, PE32+ 31->78 dropped 80 C:\Windows\System32\Microsoft\libs\WR64.sys, PE32+ 31->80 dropped 136 Detected unpacking (changes PE section rights) 31->136 138 Drops executables to the windows directory (C:\Windows) and starts them 31->138 140 Modifies the context of a thread in another process (thread injection) 31->140 152 2 other signatures 31->152 52 cmd.exe 31->52         started        142 Uses schtasks.exe or at.exe to add and modify task schedules 36->142 144 Uses netsh to modify the Windows network and firewall settings 36->144 146 Adds a directory exclusion to Windows Defender 36->146 55 conhost.exe 36->55         started        57 powershell.exe 36->57         started        61 2 other processes 38->61 148 Tries to harvest and steal WLAN passwords 40->148 63 4 other processes 40->63 65 3 other processes 42->65 128 140.82.121.3, 443, 49741 GITHUBUS United States 44->128 130 185.199.108.133, 443, 49742 FASTLYUS Netherlands 44->130 82 C:\Windows\System32\...\sihost32.exe, PE32+ 44->82 dropped 132 ifconfig.me 34.117.59.81, 443, 49723 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 46->132 134 canary.discord.com 46->134 150 Tries to harvest and steal browser information (history, passwords, etc) 46->150 59 cmd.exe 46->59         started        67 4 other processes 48->67 84 C:\Users\user\AppData\Local\...\kksm6cdk.dll, PE32 50->84 dropped 69 5 other processes 50->69 file13 signatures14 process15 signatures16 164 Adds a directory exclusion to Windows Defender 52->164 71 conhost.exe 52->71         started        73 powershell.exe 52->73         started        75 WMIC.exe 59->75         started        process17 signatures18 192 DLL side loading technique detected 75->192
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 07:16:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
416
AV detection:
34 of 46 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fpbtjtmwhr2mexsybzyan3bs3ufnx7pxyidrrhg7v6wuazyrnoq._file
Verdict:
malicious
Similar samples:
06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236
OrcusRAT
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
OrcusRAT
357a1d94af889c7d73ca1a767222066f3550e007c7f52d3f83895fc5bf2e17b6
OrcusRAT
7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c
OrcusRAT
a8288077dd8efe988232bbcc8519f636f097795cd34d87963ea61ac712336d1a
OrcusRAT
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
OrcusRAT
f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3
OrcusRAT
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
OrcusRAT
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56
OrcusRAT
+ 156 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:orcus family:xmrig botnet:newvprefinal discovery evasion miner pyinstaller rat spyware stealer
Link:
https://tria.ge/reports/210717-98tnta93m2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Orcurs Rat Executable
XMRig Miner Payload
AsyncRat
Orcus
Orcus Main Payload
xmrig
Malware Config
C2 Extraction:
67.242.2.35:10134
Unpacked files
SH256 hash:
f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
MD5 hash:
a71f91351dc1bb57f0426080f2c03854
SHA1 hash:
a336bd9298b0772f4d5764f695335fc7ef99755b
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/124611f2-41ac-44fb-8e38-5f8f3769cedc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172318/

Comments