{
	"id": "4effa53e-eae2-43ed-96f6-ab494a778553",
	"created_at": "2026-04-06T00:09:49.659653Z",
	"updated_at": "2026-04-10T13:11:29.141564Z",
	"deleted_at": null,
	"sha1_hash": "2f583e9889af7e55d25c14477992c571749e9fb9",
	"title": "Orcus RAT Technical Malware Analysis and Configuration Extraction",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2435546,
	"plain_text": "Orcus RAT Technical Malware Analysis and Configuration\r\nExtraction\r\nBy hardee\r\nPublished: 2023-02-13 · Archived: 2026-04-05 18:40:12 UTC\r\nOur malware analysts are always on the lookout for and researching various malicious samples. This time we\r\ncame across Orcus RAT in ANY.RUN online malware sandbox and decided to perform a technical malware\r\nanalysis. In this article, you will learn how this RAT stores and protects its configuration and how to write the\r\nmemory dump extractor in Python.\r\nWhat is Orcus RAT?\r\nOrcus is a Remote Access Trojan with some distinctive processes. The RAT allows attackers to create plugins and\r\noffers a robust core feature set that makes it quite a dangerous malicious program in its class.\r\nThe sample for the malware analysis has been obtained from the ANY.RUN database. You can find it and follow\r\nalong: \r\nSHA-256 258a75a4dee6287ea6d15ad7b50b35ac478c156f0d8ebfc978c6bbbbc4d441e1\r\nWe downloaded the Orcus RAT sample and opened it in DiE to get basic information:\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 1 of 11\n\nThe DiE results show that we are dealing with a .NET sample. And it’s high time to start malware analysis of\r\nOrcus. For this matter, DnSpy comes in handy. \r\nOrcus RAT classes overview\r\nOur primary research goal is to find the RAT configuration. The first destination point is malware classes. While\r\ngoing through them, we bump into a namespace called Orcus.Config, and it contains the following classes:\r\nConsts include information about the different files and directories that Orcus RAT uses. For example, the\r\npath to the file where user keystrokes are saved or to the directory where the plugins used by a sample\r\nreside.\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 2 of 11\n\nSettings contain wrapper methods for decrypting the malware configuration and its plugins.\r\nSettingsData is a static class only with the encrypted malware and plugin configuration fields. \r\nOrcus malware resources\r\nInside the Settings class, we see the GetDecryptedSettings method. Later, it calls out the AES.Decrypt. After\r\nnoticing it, we can suppose that the AES algorithm encrypts the malware configuration:\r\nThe AES class is imported from the Orcus.Shared.Encryption. The only problem is that the assembly doesn’t\r\ncontain such a namespace. To find it, we can go to the Orcus RAT resources:\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 3 of 11\n\nWe seem to have found an assembly orcus.shared. But what is this costura prefix? And why is the assembly\r\nstored with a .zip extension? We extracted this resource and tried to unpack it. Unfortunately, it was a miss –\r\ndespite the .zip extension, this resource is not an archive.\r\nRealizing that, at some point, this assembly must be loaded into the application, we make a decision to look for\r\nanother place where this happens. Of course, keeping that strange costura prefix in mind. And it didn’t take us\r\nlong – we have found the Costura namespace that contains the AssemblyLoader class. It is supposed to load the\r\nassemblies packed in Orcus resources.\r\nInside the AssemblyLoader class, we have caught how assemblies are loaded from resources:\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 4 of 11\n\nAfter repeating this operation with CyberChef, we got an unpacked assembly. \r\nTo avoid any second thoughts, we upload the unpacked assembly to DnSpy. Hopefully, it can confirm or deny our\r\nassumption about the encryption algorithm used by the Orcus RAT. \r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 5 of 11\n\nThis class contains methods for encrypting and decrypting data, as well as an initialization vector field for the\r\nAES algorithm and a field with the key length. We are not really interested in the encryption process, but the data\r\ndecryption is exactly what we need:\r\nOrcus RAT data decryption\r\nWe have found out the following information concerning data decryption:\r\n1. Base64 is applied to the encrypted data besides the AES algorithm.\r\n2. The exact encryption type is AES256-CBC.\r\n3. We identified how the encryption key is derived. \r\nLet’s discuss this stage, this one is definitely interesting. To generate the key for a given string, Orcus uses the\r\nPasswordDeriveBytes class, which is based on the PBKDF1 algorithm from Microsoft. The malware uses the\r\ndefault settings: it means that the number of iterations for key generation will be 100, and the hashing algorithm\r\nwill be SHA1.\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 6 of 11\n\nAre you wondering how it’s done? Here is a scenario: \r\nThe first 20 bytes proceed as usual, then a byte counter is added to each hashed byte of the inherited string from\r\nthe 20th to the last byte. Taking it into account, we implemented this in Python:\r\nKnowing the correct key, you can decrypt the data using CyberChef.\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 7 of 11\n\nAs a result of decoding, we get the malware configuration in the XML format. \r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 8 of 11\n\nAutomating the configuration extraction process of Orcus RAT\r\nNow, we will write a Python script with the necessary data to decrypt and automate the configuration extraction.\r\nAfter studying some samples, we have seen that the strings with the encrypted data are located one after another in\r\nthe UserString stream between two other specific UserString objects (the strings “case\r\nFromAdministrationPackage.GetScreen” and “klg_”).\r\nNext, using the dnfile library, we implement a simple algorithm that iterates through the UserStrings looking for\r\nthe strings mentioned above. And it’s important to note that the number of received strings between them must be\r\nthree:\r\n1. The main encrypted configuration of malware \r\n2. The encrypted configuration of the plugins that Orcus uses\r\n3. The key from which the AES key will be generated \r\nYou can also always use ANY.RUN service to automatically retrieve the Orcus RAT configuration. It’s a much\r\neasier way to analyze a malicious object in a short period of time. For example, the sandbox has already retrieved\r\nall data from this Orcus sample, so you can enjoy smooth research.\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 9 of 11\n\nConclusion\r\nIn this article, we briefly analyzed the Orcus RAT and automated its configuration extraction. The full version of\r\nthe extractor is available at the link, so don’t forget to check it out! \r\nOrcus has become another chapter in our malware analysis series. Read our previous posts about STRRAT and\r\nRaccoon Stealer. What should we cover next?\r\nThe post blitz survey \r\nWhat is Orcus RAT?\r\nOrcus is a Remote Access Trojan that allows attackers to create plugins and offers a robust core feature.\r\nWhere and how does Orcus store additional assemblies? \r\nOrcus RAT stores additional assemblies inside the the malware resources using a ‘deflate’ algorithm.\r\nHow does Orcus encrypt data? \r\nOrcus RAT encrypts data using the AES algorithm and then encodes encrypted data using Base64.\r\nHow can we decrypt Orcus RAT?\r\nFirst, you need to generate the key from a given string using Microsoft’s PBKDF1 implementation. Second,\r\ndecode the data from Base64. Finally, apply the generated key to decrypt the data via the AES256 algorithm in\r\nCBC mode. As a result of decoding, we get the malware configuration in the XML format. \r\nReverse Engineer. Malware Analyst at ANY.RUN\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 10 of 11\n\nhardee\r\nReverse Engineer, Malware Analyst at ANY.RUN at ANY.RUN | + posts\r\nI contribute to open source from time to time and I am always up for a challenge.\r\nI contribute to open source from time to time and I am always up for a challenge.\r\nSource: https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nhttps://any.run/cybersecurity-blog/orcus-rat-malware-analysis/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/"
	],
	"report_names": [
		"orcus-rat-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434189,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f583e9889af7e55d25c14477992c571749e9fb9.pdf",
		"text": "https://archive.orkl.eu/2f583e9889af7e55d25c14477992c571749e9fb9.txt",
		"img": "https://archive.orkl.eu/2f583e9889af7e55d25c14477992c571749e9fb9.jpg"
	}
}