File name: | orcus_premium.rar |
Full analysis: | https://app.any.run/tasks/57445472-a4cb-4614-b576-9ae4ce2f6cf8 |
Verdict: | Malicious activity |
Threats: | Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class. |
Analysis date: | January 24, 2022, 15:48:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | C17C457C5B4E869466BB3F0BBB8F2801 |
SHA1: | 923070A1DAE11B1E5D020D6532330CCEB417FCD1 |
SHA256: | 8AF4B7F47E3848815DC1D5D47CEB8A7F68542F39222A2AB6B01BD23D6E2D7D01 |
SSDEEP: | 24576:ohQqUHMSlgyHEmdL+ZBSeA2xkLEfoT95LarEL:PMSCyHDMVxq75Gu |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2532 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\orcus_premium.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2612 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46018\orcus_premium.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46018\orcus_premium.exe | WinRAR.exe | ||||||||||||
User: admin Company: Synaptics Integrity Level: MEDIUM Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
2464 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46018\._cache_orcus_premium.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46018\._cache_orcus_premium.exe | orcus_premium.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 Modules
| |||||||||||||||
2044 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46075\orcus_premium.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46075\orcus_premium.exe | WinRAR.exe | ||||||||||||
User: admin Company: Synaptics Integrity Level: MEDIUM Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
4016 | "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate | C:\ProgramData\Synaptics\Synaptics.exe | orcus_premium.exe | ||||||||||||
User: admin Company: Synaptics Integrity Level: HIGH Description: Synaptics Pointing Device Driver Version: 1.0.0.4 Modules
| |||||||||||||||
3684 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46075\._cache_orcus_premium.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46075\._cache_orcus_premium.exe | orcus_premium.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2640 | "C:\Users\admin\Desktop\orcus_premium.exe" | C:\Users\admin\Desktop\orcus_premium.exe | Explorer.EXE | ||||||||||||
User: admin Company: Synaptics Integrity Level: MEDIUM Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
1292 | "C:\Users\admin\Desktop\._cache_orcus_premium.exe" | C:\Users\admin\Desktop\._cache_orcus_premium.exe | orcus_premium.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2152 | "C:\Users\admin\Desktop\orcus_premium.exe" | C:\Users\admin\Desktop\orcus_premium.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Synaptics Integrity Level: MEDIUM Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
3980 | "C:\Users\admin\Desktop\._cache_orcus_premium.exe" | C:\Users\admin\Desktop\._cache_orcus_premium.exe | orcus_premium.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2532 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\orcus_premium.rar | compressed | |
MD5:3449248CBCF69EA4C4EB2B50A70E34C8 | SHA256:6DC6D3D29A21B8C39358C0A68D688D929264893E6B7DC5D293A4E8C6C2A57DAA | |||
2532 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\__rar_2532.46634 | compressed | |
MD5:3449248CBCF69EA4C4EB2B50A70E34C8 | SHA256:6DC6D3D29A21B8C39358C0A68D688D929264893E6B7DC5D293A4E8C6C2A57DAA | |||
2464 | ._cache_orcus_premium.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:F2FBB01DC3002C99D9E8676F35BA81E6 | SHA256:74F9E1593BA3C0E90749407D50E4E79A8E5A73356ED2CB89FCE48B97EBCB41CE | |||
2612 | orcus_premium.exe | C:\ProgramData\Synaptics\Synaptics.exe | executable | |
MD5:28DCEEF73DCF576AFA2F57E55F1170F4 | SHA256:49DC2A414921650BA62FDBA2B7A05013E451426D11C64464EFACF54610DB21FC | |||
2532 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\__rar_2532.46817 | compressed | |
MD5:7040A02EC1BF710A794E304FC6770FE1 | SHA256:991D82A7C824CDDE3C59B09870692114260AD9B3E6D365C71B73E77350BAF58E | |||
2612 | orcus_premium.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46018\._cache_orcus_premium.exe | executable | |
MD5:0498F32DD9F785E3B29001C47BCEF7F2 | SHA256:B5A9E6D552748C0E1106DF77AA951CD48DEB4A3AF5F4F5EAC5DF7740B2C6C508 | |||
4016 | Synaptics.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:0EF9535DC4321E362ADE7D3F63A47968 | SHA256:4A6F9B9BE1A8504BAC51382BD18CF3D373AF3416E422C7AC97F462073B7D9B8F | |||
2044 | orcus_premium.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2532.46075\._cache_orcus_premium.exe | executable | |
MD5:0498F32DD9F785E3B29001C47BCEF7F2 | SHA256:B5A9E6D552748C0E1106DF77AA951CD48DEB4A3AF5F4F5EAC5DF7740B2C6C508 | |||
2640 | orcus_premium.exe | C:\Users\admin\Desktop\._cache_orcus_premium.exe | executable | |
MD5:0498F32DD9F785E3B29001C47BCEF7F2 | SHA256:B5A9E6D552748C0E1106DF77AA951CD48DEB4A3AF5F4F5EAC5DF7740B2C6C508 | |||
2532 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\orcus_premium.bak2532.46859 | compressed | |
MD5:3449248CBCF69EA4C4EB2B50A70E34C8 | SHA256:6DC6D3D29A21B8C39358C0A68D688D929264893E6B7DC5D293A4E8C6C2A57DAA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4016 | Synaptics.exe | GET | — | 69.42.215.252:80 | http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 | US | — | — | whitelisted |
4016 | Synaptics.exe | GET | 200 | 142.250.184.195:80 | http://crl.pki.goog/gsr1/gsr1.crl | US | der | 1.61 Kb | whitelisted |
2464 | ._cache_orcus_premium.exe | GET | 200 | 2.16.106.171:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a0a1c65e6b1310f9 | unknown | compressed | 59.9 Kb | whitelisted |
4016 | Synaptics.exe | GET | 200 | 142.250.184.195:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQC04WHG3wyS9QoAAAABK3x8 | US | der | 472 b | whitelisted |
4016 | Synaptics.exe | GET | 200 | 2.16.106.233:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d8826548d56b5756 | unknown | compressed | 4.70 Kb | whitelisted |
4016 | Synaptics.exe | GET | 200 | 142.250.184.195:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2464 | ._cache_orcus_premium.exe | 2.16.106.171:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
2464 | ._cache_orcus_premium.exe | 3.129.187.220:13565 | 4.tcp.ngrok.io | — | US | malicious |
4016 | Synaptics.exe | 142.250.185.78:443 | docs.google.com | Google Inc. | US | whitelisted |
4016 | Synaptics.exe | 69.42.215.252:80 | freedns.afraid.org | Awknet Communications, LLC | US | malicious |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
4016 | Synaptics.exe | 2.16.106.233:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
4016 | Synaptics.exe | 142.250.184.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
4.tcp.ngrok.io |
| malicious |
xred.mooo.com |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
freedns.afraid.org |
| whitelisted |
docs.google.com |
| shared |
ocsp.pki.goog |
| whitelisted |
crl.pki.goog |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com |