analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

27.rar

Full analysis: https://app.any.run/tasks/90e3798b-8880-4a1a-ab3b-8cfefd4efc94
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 09:19:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
orcus
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

2FF6DBB642CFA32BDDD1D516914543F7

SHA1:

80C02A3E0F007F3FD5305D86AAEFD55F35488961

SHA256:

E3521204D4C41931C48E570ECEFF8C90D8E1E391C8CAEBF817DE728CD73D9BA7

SSDEEP:

98304:r13ZEnF0faxoxm5eM/u+haRQ+QwqZ9so623jL2x4Yd6Lz0O5grUyCatryXG/TTSq:r1JSoxm5z/NQRCLyo6EzY8EUwJTTSq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Orcus.Administration-cracked.exe (PID: 1244)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2944)
      • Orcus.Administration-cracked.exe (PID: 1244)

    • Orcus was detected

      • Orcus.Administration-cracked.exe (PID: 1244)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3624)

    • Reads Environment values

      • Orcus.Administration-cracked.exe (PID: 1244)

  • INFO

    • Reads settings of System Certificates

      • Orcus.Administration-cracked.exe (PID: 1244)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Orcus.Administration-cracked.exe
PackingMethod: Normal
ModifyDate: 2017:05:26 12:43:14
OperatingSystem: Win32
UncompressedSize: 4143104
CompressedSize: 1034569
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #ORCUS orcus.administration-cracked.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3624"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\27.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1244"C:\Users\admin\Desktop\Orcus.Administration-cracked.exe" C:\Users\admin\Desktop\Orcus.Administration-cracked.exe
explorer.exe
User:
admin
Company:
Orcus Technologies
Integrity Level:
MEDIUM
Description:
Orcus Administration
Exit code:
0
Version:
1.9.1.0
2944"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
843
Read events
806
Write events
0
Delete events
0

Modification events

No data
Executable files
48
Suspicious files
0
Text files
25
Unknown types
24

Dropped files

PID
Process
Filename
Type
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\de\Orcus.Plugins.resources.dllexecutable
MD5:03258470C0C379C1EB894412FBA1F15C
SHA256:DE081D21B9D681D2E267A22CD679B215520AF8B6C7F50656915920014D1F0DE1
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\AForge.Video.DirectShow.dllexecutable
MD5:17ED442E8485AC3F7DC5B3C089654A61
SHA256:666D44798D94EAFA1ED21AF79E9BC0293FFD96F863AB5D87F78BCEE9EF9FFD6B
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Be.Windows.Forms.HexBox.dllexecutable
MD5:E00907B3D9270D4CCA87C25FF30BCD02
SHA256:5448E587498C560EF1D8E182344BC340A57CFD3B05C4507C48DA11E139035818
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\DirectoryInfoEx.dllexecutable
MD5:314955D214BB02847E7F8607A16EC550
SHA256:82FD40348EB630313D5032910D021EBD982FDDE086FBE73BA8947A6D2CB40357
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\FluentCommandLineParser.dllexecutable
MD5:9B5E37F89268CCCE0E098222004093AD
SHA256:FE068B6F15A5423F86558927DD22EC35070C041DB9CDE1ECADE0590D93CA5285
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Be.Windows.Forms.HexBox.xmlxml
MD5:B534569D28458990C1B2F68EAFA60BC3
SHA256:415EA2D9A22AB58E5F89ECE1CAF45FD61F2579EF0C700C990A997841F284E4E3
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Exceptionless.Signed.dllexecutable
MD5:1B0128F8B2BF3AAFEC28817C2031DC70
SHA256:98672DFD5C31B77AFEBC9853539A828836EC72E7D9B0D5F5F5267AD2EBDA16BA
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\CSCore.xmlxml
MD5:8FE5E0D1F87F336FA36572F6416A112E
SHA256:DE74FF28FAC66264AB57FADC235CB6988263697EC0BF94388E6FBD7ECA4AE33F
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Exceptionless.Wpf.Signed.dllexecutable
MD5:EF36A316751603CDCB9C3F5DA42B3B60
SHA256:78FDD30A20EE50F88602059F0940ACC92D9BFC09BC5EBEBE99372D2A5AF7342A
3624WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\settings.jsontext
MD5:98F2E3E6EE779B96279DDDC277BA6D30
SHA256:1461AA839B4C2D0DE78BA021D1EE3210ADF69F3DD0D661ED7AE9160C7AD1BA4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1244
Orcus.Administration-cracked.exe
198.54.117.197:443
www.orcus.one
Namecheap, Inc.
US
malicious
1244
Orcus.Administration-cracked.exe
40.85.179.199:443
collector.exceptionless.io
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
orcus.pw
malicious
www.orcus.one
  • 198.54.117.197
  • 198.54.117.198
  • 198.54.117.199
  • 198.54.117.200
malicious
collector.exceptionless.io
  • 40.85.179.199
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
27.rar