orcus | 3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53 | Triage

Submit
Reports

Overview

overview

Static

static

f6d66119_e...ed.exe

windows7_x64

f6d66119_e...ed.exe

windows10_x64

Sharing

General

Target

f6d66119_extracted
Size

953KB
Sample

210528-w2zdy9hk9a
MD5

7c0515a40b439d120deb649fb8ccafe3
SHA1

c081cb8c417f69a8675f9c90b5cc6778d770d8a7
SHA256

3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53
SHA512

12f160d3162f5fa8a62e972630e0e9c17385e7ab4a8760a8680f20a89f3acc64c1baff8a68b5a7b8e8f7785b72cac3ae7254bb1b223aacbe413a5e5a65455f41

Score

10^/10

orcus start - steam rat spyware stealer

Static task

static1

start - steam orcus

Behavioral task

behavioral1

Sample

f6d66119_extracted.exe

Resource

win7v20210410

orcus start - steam rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

f6d66119_extracted.exe

Resource

win10v20210408

orcus start - steam rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

orcus

Botnet

Start - Steam

C2

185.217.1.185:911

Mutex

a36e4add169c442b882f8f0c5cb7e8cf

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programdata%\Steam\Steam Client.exe
reconnect_delay
6600
registry_keyname
Steam Webhelper Standalone
taskscheduler_taskname
Steam Client WebHelper
watchdog_path
Temp\Steam Client WebHelper.exe

Targets

- Target
  
  f6d66119_extracted
- Size
  
  953KB
- MD5
  
  7c0515a40b439d120deb649fb8ccafe3
- SHA1
  
  c081cb8c417f69a8675f9c90b5cc6778d770d8a7
- SHA256
  
  3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53
- SHA512
  
  12f160d3162f5fa8a62e972630e0e9c17385e7ab4a8760a8680f20a89f3acc64c1baff8a68b5a7b8e8f7785b72cac3ae7254bb1b223aacbe413a5e5a65455f41
Score

10^/10

orcus start - steam rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus Main Payload
- Orcurs Rat Executable
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

start - steamorcus

behavioral1

orcusstart - steamratspywarestealer

behavioral2

orcusstart - steamratspywarestealer

© 2018-2024

Terms | Privacy