Life Hacks

3 Lifehacks While Analyzing Orcus RAT in a Malware Sandbox

Analyzing Orcus RAT
Written by admin

January 27, 2023Hacker newsMalware analysis

Orcus RAT analysis

Orcus is a remote access Trojan horse with some distinct characteristics. RAT allows attackers to create plug-ins and offers a powerful core feature set that makes it a dangerous malware in its class.

RAT is a completely stable type that always makes it to the top.


That’s why you’ll definitely come across this species in your practice, and the Orcus family specifically. To simplify your analysis, we have put together 3 ways of life that you should take advantage of. here we are.

What is Orcus RAT?

Definition of. Orcus RAT is a type of malware that allows remote access and control over computers and networks. It is a type of Remote Access Trojan (RAT) that attackers use to gain access to and control computers and networks.

Capabilities. Once downloaded to a computer or network, it begins executing malicious code, allowing an attacker access and control. It is capable of stealing data, performing surveillance, and launching DDoS attacks.

distribution. Malware is usually spread through malicious emails, websites, and social engineering attacks. It is also often attached to other malware, such as Trojans, worms, and viruses.

Life hacks for Orcus RAT malware analysis

Malware is designed to be difficult to detect, often using sophisticated encryption and masking techniques to prevent detection. And if you need to get to the core of Orcus, the RAT configuration contains all the data you need.

There are several hacks to watch out for while performing an Orcus RAT analysis.

Today we investigate the .NET template that you can download for free in the ANY.RUN database:

SHA-256: 258a75a4dee6287ea6d15ad7b50b35ac478c156f0d8ebfc978c6bbbbc4d441e1

1 – Learn about the Orcus classes

You should start by examining the categories of malware where you can get hidden features of the program. The set of data that the categories contain is exactly what will be useful for your research.

The Orcus.Config namespace contains these classes:

  • Constus: Orcus files and directories data, eg the path to the file where user keystrokes are saved or to the directory where plug-ins used by a sample are located.
  • Settings: They contain bulk methods to decrypt the configuration of malware and its plug-ins.
  • data settings: It is a static-only class with coded malware and plugin configuration fields.

2 – Find Orcus RAT resources

Once you dive in settings grade, you can note GetDecryptedSettings method. Later, call AES. decryption. And it looks like your task is complete and the malware configuration is finally found. But wait – the assembly does not contain a file Orcus. Shared. encryption namespace.

GetDecryptedSettings method
GetDecryptedSettings method

Orcus RAT stores additional assemblies within malware resources using a “shrink” algorithm. You can go to the resources to find the necessary assembly. Unpacking it will allow you to detect the decryption algorithm used by the Orcus sample. This brings more life to the day.

3 – Decrypt the data

Our treasure hunt continues, as the genesis data is encrypted.

Orcus RAT encrypts the data with the AES algorithm and then encrypts the encrypted data with Base64.

How to decrypt the data:

  • Generate the key from a specific string using the Microsoft PBKDF1 application
  • Data decoding from Base64
  • Generated key application to decrypt data via AES256 algorithm in CBC mode.

As a result of decryption, we get the malware configuration in XML format. And all the secrets of Orcus are now in your hands.

Get it all at once in a malware sandbox

Malware analysis is not a piece of cake, it certainly takes time and effort to crack a sample. That’s why it’s always great to cut the line: get everything at once and in no time. The answer is simple – use a malware sandbox.

ANY.RUN malware sandbox automatically retrieves the configuration for the Orcus RAT. It’s a much easier way to analyze a malicious organism. Try it now – the service has already recovered all the data from this Orcus sample, so you can enjoy seamless searching.

⚡ type “hackernews1Promo code at using your work email address and get 14 days of ANY.RUN premium subscription for FREE!


Orcus RAT masquerades as a legitimate remote administration tool, although it is clear from its features and functionality that it is not and was never intended. Malware analysis helps to obtain information for your company’s cyber security.

PROTECT YOUR BUSINESS FROM THIS THREAT – Implement a comprehensive security strategy, train employees to recognize and avoid malicious emails and websites, use a reliable antivirus and ANY.RUN malware sandbox to detect and analyze Orcus.

Found this article interesting? Follow us Twitter And LinkedIn to read more of our exclusive content.

About the author


Leave a Comment