Edit tour
Windows
Analysis Report
LisectAVT_2403002A_21.exe
Overview
General Information
| Sample name: | LisectAVT_2403002A_21.exe |
| Analysis ID: | 1482419 |
| MD5: | c4f84399032146f1645a388e500dd52b |
| SHA1: | 24d665e81c3db04a2bc73c0976600d30ea48d81a |
| SHA256: | 2d416b2fd87f92d3e917162ceb32a9455aa6d6e00a39b5b41ac8412e83a1045a |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Orcus
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Orcus RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
LisectAVT_2403002A_21.exe (PID: 4692 cmdline: "C:\Users\ user\Deskt op\LisectA VT_2403002 A_21.exe" MD5: C4F84399032146F1645A388E500DD52B) - LisectAVT_2403002A_21.exe (PID: 7616 cmdline:
"C:\Users\ user\AppDa ta\Local\L isectAVT_2 403002A_21 .exe" MD5: C4F84399032146F1645A388E500DD52B)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Orcus RAT | Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time. | No Attribution |
{
"AutostartBuilderProperty": {
"AutostartMethod": "Disable",
"TaskSchedulerTaskName": "Orcus",
"TaskHighestPrivileges": "true",
"RegistryHiddenStart": "true",
"RegistryKeyName": "Orcus",
"TryAllAutostartMethodsOnFail": "true"
},
"ChangeAssemblyInformationBuilderProperty": {
"ChangeAssemblyInformation": "false",
"AssemblyTitle": null,
"AssemblyDescription": null,
"AssemblyCompanyName": null,
"AssemblyProductName": null,
"AssemblyCopyright": null,
"AssemblyTrademarks": null,
"AssemblyProductVersion": "1.0.0.0",
"AssemblyFileVersion": "1.0.0.0"
},
"ChangeCreationDateBuilderProperty": {
"IsEnabled": "false",
"NewCreationDate": "2024-03-13T18:29:18"
},
"ChangeIconBuilderProperty": {
"ChangeIcon": "false",
"IconPath": null
},
"ClientTagBuilderProperty": {
"ClientTag": null
},
"ConnectionBuilderProperty": {
"IpAddresses": [
{
"Ip": "45.157.69.156",
"Port": "443"
}
]
},
"DataFolderBuilderProperty": {
"Path": "%appdata%\\Orcus"
},
"DefaultPrivilegesBuilderProperty": {
"RequireAdministratorRights": "false"
},
"DisableInstallationPromptBuilderProperty": {
"IsDisabled": "false"
},
"FrameworkVersionBuilderProperty": {
"FrameworkVersion": "NET40"
},
"HideFileBuilderProperty": {
"HideFile": "false"
},
"InstallationLocationBuilderProperty": {
"Path": "%programfiles%\\Orcus\\Orcus.exe"
},
"InstallBuilderProperty": {
"Install": "false"
},
"KeyloggerBuilderProperty": {
"IsEnabled": "false"
},
"MutexBuilderProperty": {
"Mutex": "3b453ed253424c82a94898f42bb6a1be"
},
"ProxyBuilderProperty": {
"ProxyOption": "None",
"ProxyAddress": null,
"ProxyPort": "1080",
"ProxyType": "2"
},
"ReconnectDelayProperty": {
"Delay": "10000"
},
"RequireAdministratorPrivilegesInstallerBuilderProperty": {
"RequireAdministratorPrivileges": "true"
},
"RespawnTaskBuilderProperty": {
"IsEnabled": "false",
"TaskName": "Orcus Respawner"
},
"ServiceBuilderProperty": {
"Install": "false"
},
"SetRunProgramAsAdminFlagBuilderProperty": {
"SetFlag": "false"
},
"WatchdogBuilderProperty": {
"IsEnabled": "false",
"Name": "OrcusWatchdog.exe",
"WatchdogLocation": "AppData",
"PreventFileDeletion": "false"
}
}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_OrcusRat | Yara detected Orcus RAT | J from THL <j@techhelplist.com> with thx to MalwareHunterTeam | ||
| MAL_BackNet_Nov18_1 | Detects BackNet samples | Florian Roth |
| |
| RAT_Orcus | unknown | J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| |
| INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
| JoeSecurity_OrcusRat | Yara detected Orcus RAT | J from THL <j@techhelplist.com> with thx to MalwareHunterTeam | ||
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_OrcusRat | Yara detected Orcus RAT | J from THL <j@techhelplist.com> with thx to MalwareHunterTeam | ||
| MAL_BackNet_Nov18_1 | Detects BackNet samples | Florian Roth |
| |
| RAT_Orcus | unknown | J from THL <j@techhelplist.com> with thx to MalwareHunterTeam |
| |
| INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
| JoeSecurity_OrcusRat | Yara detected Orcus RAT | J from THL <j@techhelplist.com> with thx to MalwareHunterTeam | ||
| Click to see the 11 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
| Timestamp: | 2024-07-25T22:43:41.709292+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49702 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T22:44:19.643395+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49707 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Long String: | ||
| Source: | Code function: | 12_2_00007FFAACCB7CF0 | |
| Source: | Code function: | 12_2_00007FFAACCB75C0 | |
| Source: | Code function: | 12_2_00007FFAACCC4719 | |
| Source: | Code function: | 12_2_00007FFAACCBD028 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Base64 encoded string: | ||