File name: | 27.rar |
Full analysis: | https://app.any.run/tasks/90e3798b-8880-4a1a-ab3b-8cfefd4efc94 |
Verdict: | Malicious activity |
Threats: | Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class. |
Analysis date: | April 15, 2019, 09:19:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 2FF6DBB642CFA32BDDD1D516914543F7 |
SHA1: | 80C02A3E0F007F3FD5305D86AAEFD55F35488961 |
SHA256: | E3521204D4C41931C48E570ECEFF8C90D8E1E391C8CAEBF817DE728CD73D9BA7 |
SSDEEP: | 98304:r13ZEnF0faxoxm5eM/u+haRQ+QwqZ9so623jL2x4Yd6Lz0O5grUyCatryXG/TTSq:r1JSoxm5z/NQRCLyo6EzY8EUwJTTSq |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | Orcus.Administration-cracked.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2017:05:26 12:43:14 |
OperatingSystem: | Win32 |
UncompressedSize: | 4143104 |
CompressedSize: | 1034569 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3624 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\27.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1244 | "C:\Users\admin\Desktop\Orcus.Administration-cracked.exe" | C:\Users\admin\Desktop\Orcus.Administration-cracked.exe | explorer.exe | |
User: admin Company: Orcus Technologies Integrity Level: MEDIUM Description: Orcus Administration Exit code: 0 Version: 1.9.1.0 | ||||
2944 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\de\Orcus.Plugins.resources.dll | executable | |
MD5:03258470C0C379C1EB894412FBA1F15C | SHA256:DE081D21B9D681D2E267A22CD679B215520AF8B6C7F50656915920014D1F0DE1 | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\AForge.Video.DirectShow.dll | executable | |
MD5:17ED442E8485AC3F7DC5B3C089654A61 | SHA256:666D44798D94EAFA1ED21AF79E9BC0293FFD96F863AB5D87F78BCEE9EF9FFD6B | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Be.Windows.Forms.HexBox.dll | executable | |
MD5:E00907B3D9270D4CCA87C25FF30BCD02 | SHA256:5448E587498C560EF1D8E182344BC340A57CFD3B05C4507C48DA11E139035818 | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\DirectoryInfoEx.dll | executable | |
MD5:314955D214BB02847E7F8607A16EC550 | SHA256:82FD40348EB630313D5032910D021EBD982FDDE086FBE73BA8947A6D2CB40357 | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\FluentCommandLineParser.dll | executable | |
MD5:9B5E37F89268CCCE0E098222004093AD | SHA256:FE068B6F15A5423F86558927DD22EC35070C041DB9CDE1ECADE0590D93CA5285 | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Be.Windows.Forms.HexBox.xml | xml | |
MD5:B534569D28458990C1B2F68EAFA60BC3 | SHA256:415EA2D9A22AB58E5F89ECE1CAF45FD61F2579EF0C700C990A997841F284E4E3 | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Exceptionless.Signed.dll | executable | |
MD5:1B0128F8B2BF3AAFEC28817C2031DC70 | SHA256:98672DFD5C31B77AFEBC9853539A828836EC72E7D9B0D5F5F5267AD2EBDA16BA | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\CSCore.xml | xml | |
MD5:8FE5E0D1F87F336FA36572F6416A112E | SHA256:DE74FF28FAC66264AB57FADC235CB6988263697EC0BF94388E6FBD7ECA4AE33F | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\libraries\Exceptionless.Wpf.Signed.dll | executable | |
MD5:EF36A316751603CDCB9C3F5DA42B3B60 | SHA256:78FDD30A20EE50F88602059F0940ACC92D9BFC09BC5EBEBE99372D2A5AF7342A | |||
3624 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3624.49979\settings.json | text | |
MD5:98F2E3E6EE779B96279DDDC277BA6D30 | SHA256:1461AA839B4C2D0DE78BA021D1EE3210ADF69F3DD0D661ED7AE9160C7AD1BA4E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1244 | Orcus.Administration-cracked.exe | 198.54.117.197:443 | www.orcus.one | Namecheap, Inc. | US | malicious |
1244 | Orcus.Administration-cracked.exe | 40.85.179.199:443 | collector.exceptionless.io | Microsoft Corporation | US | unknown |
Domain | IP | Reputation |
---|---|---|
orcus.pw |
| malicious |
www.orcus.one |
| malicious |
collector.exceptionless.io |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |