SYMBOLCOMMON_NAMEaka. SYNONYMS
win.orcus_rat (Back to overview)

Orcus RAT

aka: Schnorchel
URLhaus      

Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.

References
2019-08-28Cisco TalosEdmund Brumaghin, Holger Unterbrink
@online{brumaghin:20190828:rat:dadd9c5, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{RAT Ratatouille: Backdooring PCs with leaked RATs}}, date = {2019-08-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html}, language = {English}, urldate = {2020-01-13} } RAT Ratatouille: Backdooring PCs with leaked RATs
Orcus RAT
2019-04-02KrebsOnSecurityBrian Krebs
@online{krebs:20190402:canadian:4743d2d, author = {Brian Krebs}, title = {{Canadian Police Raid ‘Orcus RAT’ Author}}, date = {2019-04-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/}, language = {English}, urldate = {2019-12-19} } Canadian Police Raid ‘Orcus RAT’ Author
Orcus RAT
2019-02-27Check PointCheck Point
@online{point:20190227:protecting:fd60a96, author = {Check Point}, title = {{Protecting Against WinRAR Vulnerabilities}}, date = {2019-02-27}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/}, language = {English}, urldate = {2020-01-07} } Protecting Against WinRAR Vulnerabilities
Orcus RAT
2017-12-07FortinetFloser Bacurio, Joie Salvio
@online{bacurio:20171207:peculiar:e4c095f, author = {Floser Bacurio and Joie Salvio}, title = {{A Peculiar Case of Orcus RAT Targeting Bitcoin Investors}}, date = {2017-12-07}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors}, language = {English}, urldate = {2020-01-08} } A Peculiar Case of Orcus RAT Targeting Bitcoin Investors
Orcus RAT
2016-08-02Palo Alto Networks Unit 42Vicky Ray
@online{ray:20160802:orcus:c86492b, author = {Vicky Ray}, title = {{Orcus – Birth of an unusual plugin builder RAT}}, date = {2016-08-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/}, language = {English}, urldate = {2019-12-20} } Orcus – Birth of an unusual plugin builder RAT
Orcus RAT
2016-07-21KrebsOnSecurityBrian Krebs
@online{krebs:20160721:canadian:5c7f22f, author = {Brian Krebs}, title = {{Canadian Man Behind Popular ‘Orcus RAT’}}, date = {2016-07-21}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/}, language = {English}, urldate = {2019-07-11} } Canadian Man Behind Popular ‘Orcus RAT’
Orcus RAT
Yara Rules
[TLP:WHITE] win_orcus_rat_auto (7417966c | autogenerated rule brought to you by yara-signator)
rule win_orcus_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-04-21"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.3.1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat"
        malpedia_version = "7417966c"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { d01d02000000 8618 8005????????93 06 ec 1d02000000 e101 }
            // n = 7, score = 100
            //   d01d02000000         | rcr                 byte ptr [2], 1
            //   8618                 | xchg                byte ptr [eax], bl
            //   8005????????93       |                     
            //   06                   | push                es
            //   ec                   | in                  al, dx
            //   1d02000000           | sbb                 eax, 2
            //   e101                 | loope               3

        $sequence_1 = { 8bec a2???????? b541 b17e b19d c3 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   a2????????           |                     
            //   b541                 | mov                 ch, 0x41
            //   b17e                 | mov                 cl, 0x7e
            //   b19d                 | mov                 cl, 0x9d
            //   c3                   | ret                 

        $sequence_2 = { 8618 8005????????93 06 ec 1d02000000 }
            // n = 5, score = 100
            //   8618                 | xchg                byte ptr [eax], bl
            //   8005????????93       |                     
            //   06                   | push                es
            //   ec                   | in                  al, dx
            //   1d02000000           | sbb                 eax, 2

        $sequence_3 = { 129bc108ed27 4b c57eb2 4c }
            // n = 4, score = 100
            //   129bc108ed27         | adc                 bl, byte ptr [ebx + 0x27ed08c1]
            //   4b                   | dec                 ebx
            //   c57eb2               | lds                 edi, ptr [esi - 0x4e]
            //   4c                   | dec                 esp

        $sequence_4 = { b17e b19d c3 2f 96 49 fd }
            // n = 7, score = 100
            //   b17e                 | mov                 cl, 0x7e
            //   b19d                 | mov                 cl, 0x9d
            //   c3                   | ret                 
            //   2f                   | das                 
            //   96                   | xchg                eax, esi
            //   49                   | dec                 ecx
            //   fd                   | std                 

        $sequence_5 = { 4c ec 27 cb e9???????? }
            // n = 5, score = 100
            //   4c                   | dec                 esp
            //   ec                   | in                  al, dx
            //   27                   | daa                 
            //   cb                   | retf                
            //   e9????????           |                     

        $sequence_6 = { 49 fd 129bc108ed27 4b c57eb2 4c }
            // n = 6, score = 100
            //   49                   | dec                 ecx
            //   fd                   | std                 
            //   129bc108ed27         | adc                 bl, byte ptr [ebx + 0x27ed08c1]
            //   4b                   | dec                 ebx
            //   c57eb2               | lds                 edi, ptr [esi - 0x4e]
            //   4c                   | dec                 esp

        $sequence_7 = { 48 ff4848 48 ff4848 }
            // n = 4, score = 100
            //   48                   | dec                 eax
            //   ff4848               | dec                 dword ptr [eax + 0x48]
            //   48                   | dec                 eax
            //   ff4848               | dec                 dword ptr [eax + 0x48]

        $sequence_8 = { 4b c57eb2 4c ec 27 }
            // n = 5, score = 100
            //   4b                   | dec                 ebx
            //   c57eb2               | lds                 edi, ptr [esi - 0x4e]
            //   4c                   | dec                 esp
            //   ec                   | in                  al, dx
            //   27                   | daa                 

        $sequence_9 = { 06 d01d02000000 8618 8005????????93 06 ec }
            // n = 6, score = 100
            //   06                   | push                es
            //   d01d02000000         | rcr                 byte ptr [2], 1
            //   8618                 | xchg                byte ptr [eax], bl
            //   8005????????93       |                     
            //   06                   | push                es
            //   ec                   | in                  al, dx

    condition:
        7 of them and filesize < 2638848
}
Download all Yara Rules