orcus | e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582 | Triage

Submit
Reports

Overview

overview

Static

static

52EE41A432...E8.exe

windows7_x64

52EE41A432...E8.exe

windows10_x64

Sharing

General

Target

52EE41A4329C6874DF19851AC928C8E8.exe
Size

899KB
Sample

210712-c9zwaz3llj
MD5

52ee41a4329c6874df19851ac928c8e8
SHA1

ba47b57ff5b0c6d02ea5a1b80e96cee5387b03de
SHA256

e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582
SHA512

6f640819de2f407337578e047df76aadc23f2062c0a798a47a05bd6407b924f286f71cb4ef1c00b568223ac8e5c05afa39261cdcf86e8e913ff0e23096c201ac

Score

10^/10

orcus rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

52EE41A4329C6874DF19851AC928C8E8.exe

Resource

win7v20210410

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

52EE41A4329C6874DF19851AC928C8E8.exe

Resource

win10v20210408

orcus rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

orcus

C2

orcustop4ik.duckdns.org:6666

Mutex

9280ed1ca561486e8b0282e7c4fcd77c

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%appdata%\Windows Defender\UnzipManager.exe
reconnect_delay
10000
registry_keyname
Unzipper
taskscheduler_taskname
Unzipper
watchdog_path
AppData\WindowsServer\svhost.exe

Targets

- Target
  
  52EE41A4329C6874DF19851AC928C8E8.exe
- Size
  
  899KB
- MD5
  
  52ee41a4329c6874df19851ac928c8e8
- SHA1
  
  ba47b57ff5b0c6d02ea5a1b80e96cee5387b03de
- SHA256
  
  e7e7d51e82941b9eb56f82854e9682dc7a8593185ce6216082d5f795ceace582
- SHA512
  
  6f640819de2f407337578e047df76aadc23f2062c0a798a47a05bd6407b924f286f71cb4ef1c00b568223ac8e5c05afa39261cdcf86e8e913ff0e23096c201ac
Score

10^/10

orcus rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus Main Payload
- Orcurs Rat Executable
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

orcusratspywarestealer

© 2018-2024

Terms | Privacy