orcus | 53943895601cbc79561cb30c9957715400d82a255d97ce36fe1b383bf3c240da | Triage

Submit
Reports

Overview

overview

Static

static

2A1C375935...F7.exe

windows7_x64

2A1C375935...F7.exe

windows10_x64

Sharing

General

Target

2A1C375935C741C5C329A614389E75F7.exe
Size

919KB
Sample

210418-6pbpxwr98j
MD5

2a1c375935c741c5c329a614389e75f7
SHA1

6e4aa9a62dc23d23e176551d0d35baebd9fb73cb
SHA256

53943895601cbc79561cb30c9957715400d82a255d97ce36fe1b383bf3c240da
SHA512

355b17d541962cde36c357f16c0eae231e112bd2d77ae4fb8bb27f7d767b076e37e0762c8e7f6dcc8edf27f171659f2418db9625c9600bff3b0f1dace1bc3c54

Score

10^/10

orcus persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

2A1C375935C741C5C329A614389E75F7.exe

Resource

win7v20210408

orcus persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2A1C375935C741C5C329A614389E75F7.exe

Resource

win10v20210410

orcus persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

orcus

C2

98.229.214.124:10134

Mutex

b1eacede88674ba6a69fac5ec304eeee

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Dababy\Dababy.exe
reconnect_delay
10000
registry_keyname
lol
taskscheduler_taskname
lol
watchdog_path
Temp\lIlIlIlIlIlIlIlIlI.exe

Targets

- Target
  
  2A1C375935C741C5C329A614389E75F7.exe
- Size
  
  919KB
- MD5
  
  2a1c375935c741c5c329a614389e75f7
- SHA1
  
  6e4aa9a62dc23d23e176551d0d35baebd9fb73cb
- SHA256
  
  53943895601cbc79561cb30c9957715400d82a255d97ce36fe1b383bf3c240da
- SHA512
  
  355b17d541962cde36c357f16c0eae231e112bd2d77ae4fb8bb27f7d767b076e37e0762c8e7f6dcc8edf27f171659f2418db9625c9600bff3b0f1dace1bc3c54
Score

10^/10

orcus persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus Main Payload
- Orcurs Rat Executable
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

orcuspersistenceratspywarestealer

behavioral2

orcuspersistenceratspywarestealer

© 2018-2024

Terms | Privacy