3 Lifehacks Whereas Analyzing Orcus RAT in a Malware Sandbox

Deal Score0
Deal Score0

Jan 27, 2023The Hacker InformationMalware Analyzing

Orcus is a Distant Entry Trojan with some distinctive traits. The RAT permits attackers to create plugins and presents a sturdy core characteristic set that makes it fairly a harmful trojan horse in its class.

RAT is kind of a secure kind that at all times makes it to the highest.

ANY.RUN's top malware types in 2022
ANY.RUN’s prime malware varieties in 2022

That is why you may undoubtedly come throughout this kind in your apply, and the Orcus household particularly. To simplify your evaluation, now we have collected 3 lifehacks it is best to make the most of. Right here we go.

What’s Orcus RAT?

Definition. Orcus RAT is a kind of malicious software program program that allows distant entry and management of computer systems and networks. It’s a kind of Distant Entry Trojan (RAT) that has been utilized by attackers to achieve entry to and management computer systems and networks.

Capabilities. As soon as downloaded onto a pc or community, it begins to execute its malicious code, permitting the attacker to achieve entry and management. It’s able to stealing information, conducting surveillance, and launching DDoS assaults.

Distribution. The malware is normally unfold through malicious emails, web sites, and social engineering assaults. Additionally it is typically bundled with different malicious software program applications, corresponding to Trojans, worms, and viruses.

Lifehacks for Orcus RAT malware evaluation

The malware is designed to be tough to detect, because it typically makes use of subtle encryption and obfuscation methods to forestall detection. And if you might want to get to the core of Orcus, the RAT configuration has all the information you want.

And there are a number of lifehacks that it is best to take note of whereas performing the evaluation of Orcus RAT.

As we speak we examine the .NET pattern which you could obtain free of charge in ANY.RUN database:

SHA-256: 258a75a4dee6287ea6d15ad7b50b35ac478c156f0d8ebfc978c6bbbbc4d441e1

1 — Get to know Orcus lessons

You need to begin with checking malware lessons the place you may get the hidden program’s traits. A bunch of knowledge that lessons comprise is strictly what can be useful to your analysis.

An Orcus.Config namespace has these lessons:

  • Consts: Orcus’s information and directories information, e.g. the trail to the file the place person keystrokes are saved or to the listing the place the plugins utilized by a pattern reside.
  • Settings: comprise wrapper strategies for decrypting the malware configuration and its plugins.
  • SettingsData: is a static class solely with the encrypted malware and plugin configuration fields.

2 — Discover Orcus RAT assets

When you dive into the Settings class, you’ll be able to discover the GetDecryptedSettings technique. Later, it calls out the AES.Decrypt. And it appears to be like like your job is completed and the malware configuration is lastly discovered. However maintain on – the meeting would not comprise an Orcus.Shared.Encryption namespace.

GetDecryptedSettings method
GetDecryptedSettings technique

Orcus RAT shops further assemblies contained in the malware assets utilizing a ‘deflate’ algorithm. You’ll be able to go to the assets to seek out the mandatory meeting. Unpacking them will allow you to reveal the decryption algorithm that an Orcus pattern makes use of. That brings yet another lifehack for immediately.

3 — Decrypt information

Our treasure hunt goes on, as configuration information is encrypted.

Orcus RAT encrypts information utilizing the AES algorithm after which encodes the encrypted information utilizing Base64.

The best way to decrypt information:

  • generate the important thing from a given string utilizing Microsoft’s PBKDF1 implementation
  • decode the information from Base64
  • apply the generated key to decrypt the information through the AES256 algorithm in CBC mode.

On account of decoding, we get the malware configuration within the XML format. And all Orcus secrets and techniques are in your fingers now.

4 — Get all of sudden in a malware sandbox

Malware evaluation just isn’t a bit of cake, it undoubtedly takes effort and time to crack a pattern. That is why it is at all times nice to chop the road: get all of sudden and in a short while. The reply is straightforward – use a malware sandbox.

ANY.RUN malware sandbox routinely retrieves the Orcus RAT configuration. It is a a lot simpler option to analyze a malicious object. Strive it now – the service has already retrieved all information from this Orcus sample, so you’ll be able to get pleasure from easy analysis.

⚡ Write the “hackernews1” promo code at assist@any.run utilizing your enterprise e mail handle and get 14 days of ANY.RUN premium subscription free of charge!


The Orcus RAT masquerades as a reliable distant administration software, though it’s clear from its options and performance that it isn’t and was by no means supposed to be. Evaluation of the malware helps to get info for the cybersecurity of your organization.

Defend your enterprise from this risk – implement a complete safety technique, practice workers to acknowledge and keep away from malicious emails and web sites, and use dependable anti-virus and ANY.RUN malware sandbox to detect and analyze Orcus.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.

We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general