orcus | 1bbc88529caf638cf60f3a41ce43584a520570787f0bba8311bc7d2f08cf22ea | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

1bbc88529caf638cf60f3a41ce43584a520570787f0bba8311bc7d2f08cf22ea
Size

20KB
Sample

221019-gxw6wsfeak
MD5

4eea37f9744cf0ac3892fb5bc8386f75
SHA1

3d439ea9ef84d2728e02c3f373a77ab26d1554c6
SHA256

1bbc88529caf638cf60f3a41ce43584a520570787f0bba8311bc7d2f08cf22ea
SHA512

4a5cbfb32a2f27b7c3aca9d06c17c0f26be3503a84d34d860f501c8b3b1ac2382c97202556ea8e45b57d9d80a3006c2792f845df4c75456e688a6629e21f1cc7
SSDEEP

384:MvEzJv2p/0zz35aAyWZUkTRUNtArOV/OYzcWBqNuhBnPka:zJup/0bdR+VWtWo4Pk

Score

10^/10

orcus plaguebot quasar skynet botnet persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

1bbc88529caf638cf60f3a41ce43584a520570787f0bba8311bc7d2f08cf22ea.exe

Resource

win10v2004-20220812-en

orcus plaguebot quasar skynet botnet persistence rat spyware stealer trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

SKYNET

C2

173.225.115.99:7702

Mutex

938cda17-a814-4925-8420-83a35a350164

Attributes

encryption_key
F04A75E6507173FAEEC2BB82C564030A5E8413FF
install_name
FileHistory.exe
log_directory
Logs
reconnect_delay
4000
startup_key
FileHistory
subdirectory
FileHistory

Extracted

Family

orcus

C2

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Targets

- Target
  
  1bbc88529caf638cf60f3a41ce43584a520570787f0bba8311bc7d2f08cf22ea
- Size
  
  20KB
- MD5
  
  4eea37f9744cf0ac3892fb5bc8386f75
- SHA1
  
  3d439ea9ef84d2728e02c3f373a77ab26d1554c6
- SHA256
  
  1bbc88529caf638cf60f3a41ce43584a520570787f0bba8311bc7d2f08cf22ea
- SHA512
  
  4a5cbfb32a2f27b7c3aca9d06c17c0f26be3503a84d34d860f501c8b3b1ac2382c97202556ea8e45b57d9d80a3006c2792f845df4c75456e688a6629e21f1cc7
- SSDEEP
  
  384:MvEzJv2p/0zz35aAyWZUkTRUNtArOV/OYzcWBqNuhBnPka:zJup/0bdR+VWtWo4Pk
Score

10^/10

orcus plaguebot quasar skynet botnet persistence rat spyware stealer trojan
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- PlagueBot
  PlagueBot is an open source Bot written in Pascal.
  botnet plaguebot
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Orcurs Rat Executable
- PlagueBot Executable
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

orcusplaguebotquasarskynetbotnetpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy