analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

READ ME.txt

Full analysis: https://app.any.run/tasks/685a0f2a-0e42-4a69-ab8f-7ffe6c941586
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Malware Trends Tracker     >>>
Analysis date: June 12, 2019, 05:26:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
orcus
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

5991C706E73EFEB8B6F07DBABEBCFB74

SHA1:

FEB578D7D6B2F19D23A2C562D6C70D3169260780

SHA256:

B25E01140C48D71709CF9CE685FA298393BDA84C2545FB44C90B3663E6C0871A

SSDEEP:

24:lZDsB9VovZqmhdvwj7OVkL3j065YcLQCzl:T0foRv6OgpJUKl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Orcus.Administration.exe (PID: 3168)
      • SearchProtocolHost.exe (PID: 1924)
      • Orcus.Server.Patched.exe (PID: 636)

    • Orcus was detected

      • Orcus.Administration.exe (PID: 3168)

    • Application was dropped or rewritten from another process

      • Orcus.Server.Patched.exe (PID: 636)

  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1136)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3148)
      • Orcus.Server.Patched.exe (PID: 636)

    • Reads Environment values

      • Orcus.Administration.exe (PID: 3168)

    • Reads Internet Cache Settings

      • Orcus.Administration.exe (PID: 3168)

  • INFO

    • Manual execution by user

      • chrome.exe (PID: 1136)
      • Orcus.Administration.exe (PID: 3168)
      • Orcus.Server.Patched.exe (PID: 636)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 1136)

    • Creates files in the user directory

      • chrome.exe (PID: 1136)

    • Application launched itself

      • chrome.exe (PID: 1136)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3148)

    • Reads settings of System Certificates

      • chrome.exe (PID: 1136)
      • Orcus.Administration.exe (PID: 3168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
32
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe #ORCUS orcus.administration.exe searchprotocolhost.exe no specs orcus.server.patched.exe

Process information

PID
CMD
Path
Indicators
Parent process
3336"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\READ ME.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1136"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
2096"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f5e0f18,0x6f5e0f28,0x6f5e0f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3584"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3948 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2800"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=960,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15920027177994419801 --mojo-platform-channel-handle=932 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
1904"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --service-pipe-token=3294789208902669516 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3294789208902669516 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
1512"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --service-pipe-token=16713318273647596486 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16713318273647596486 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3868"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --service-pipe-token=14923747116235490702 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14923747116235490702 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2544"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=960,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5615481860600211993 --mojo-platform-channel-handle=3100 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2864"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=960,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=11266410188796666539 --mojo-platform-channel-handle=3824 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
1 825
Read events
1 667
Write events
153
Delete events
5

Modification events

(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosX
Value:
44
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosY
Value:
44
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDX
Value:
960
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDY
Value:
501
(PID) Process:(1136) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1136) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1136) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(1136) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(1136) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1136) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
Executable files
37
Suspicious files
108
Text files
229
Unknown types
38

Dropped files

PID
Process
Filename
Type
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\5b4bb8eb-1635-4071-9ba4-10f83aa5375b.tmp
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
1136chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
49
DNS requests
46
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1136
chrome.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.2 Kb
whitelisted
1136
chrome.exe
GET
200
173.194.183.170:80
http://r5---sn-aigl6ney.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=109.169.22.99&mm=28&mn=sn-aigl6ney&ms=nvh&mt=1560317199&mv=m&pl=22&shardbypass=yes
US
crx
842 Kb
whitelisted
1136
chrome.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.2 Kb
whitelisted
1136
chrome.exe
GET
302
172.217.22.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
504 b
whitelisted
1136
chrome.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.2 Kb
whitelisted
1136
chrome.exe
GET
200
143.204.178.38:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
1136
chrome.exe
GET
200
143.204.178.38:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
1136
chrome.exe
GET
301
194.32.146.61:80
http://anonfile.com/Tav8H6Ybmd/Orcus_rar
unknown
html
178 b
whitelisted
1136
chrome.exe
GET
200
143.204.178.38:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1136
chrome.exe
172.217.21.238:443
apis.google.com
Google Inc.
US
whitelisted
1136
chrome.exe
172.217.21.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1136
chrome.exe
172.217.18.3:443
www.gstatic.com
Google Inc.
US
whitelisted
1136
chrome.exe
216.58.206.14:443
clients1.google.com
Google Inc.
US
whitelisted
1136
chrome.exe
216.58.207.67:443
www.google.com.ua
Google Inc.
US
whitelisted
1136
chrome.exe
172.217.22.14:443
clients2.google.com
Google Inc.
US
whitelisted
1136
chrome.exe
172.217.18.173:443
accounts.google.com
Google Inc.
US
whitelisted
1136
chrome.exe
172.217.23.131:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1136
chrome.exe
172.217.16.161:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
1136
chrome.exe
172.217.22.78:80
redirector.gvt1.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.21.195
whitelisted
www.google.com.ua
  • 216.58.207.67
whitelisted
accounts.google.com
  • 172.217.18.173
shared
clients1.google.com
  • 216.58.206.14
whitelisted
ssl.gstatic.com
  • 172.217.23.131
whitelisted
clients2.google.com
  • 172.217.22.14
whitelisted
www.gstatic.com
  • 172.217.18.3
whitelisted
clients2.googleusercontent.com
  • 172.217.16.161
whitelisted
apis.google.com
  • 172.217.21.238
whitelisted
redirector.gvt1.com
  • 172.217.22.78
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
READ ME.txt