orcus | 57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
Size

100KB
Sample

221019-gxwkcsfdhq
MD5

b7756f9d9e8c5f4ba2c930adb666fbae
SHA1

8ddb9f2a559f6af5ccaa04c8b5b589d216357340
SHA256

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
SHA512

c5c85c86251c34530b672de0feee38bd148cddd53beb7191a250f09e6d504460c343a0f608e2002434e4b98585e61222f44bc159bfb2a340c0e73a3941bef67f
SSDEEP

1536:DQIAibOVOk3udovOyePC9Eop2h90L64QG9iDCzPgQD8Kg90a//MudDBG:DQ/ibOcIudovOy8CUwIOkCzgQq0UzxM

Score

10^/10

orcus plaguebot botnet evasion persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b.exe

Resource

win10v2004-20220812-en

orcus plaguebot botnet evasion persistence rat spyware stealer trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Targets

- Target
  
  57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
- Size
  
  100KB
- MD5
  
  b7756f9d9e8c5f4ba2c930adb666fbae
- SHA1
  
  8ddb9f2a559f6af5ccaa04c8b5b589d216357340
- SHA256
  
  57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
- SHA512
  
  c5c85c86251c34530b672de0feee38bd148cddd53beb7191a250f09e6d504460c343a0f608e2002434e4b98585e61222f44bc159bfb2a340c0e73a3941bef67f
- SSDEEP
  
  1536:DQIAibOVOk3udovOyePC9Eop2h90L64QG9iDCzPgQD8Kg90a//MudDBG:DQ/ibOcIudovOy8CUwIOkCzgQq0UzxM
Score

10^/10

orcus plaguebot botnet evasion persistence rat spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- PlagueBot
  PlagueBot is an open source Bot written in Pascal.
  botnet plaguebot
- Orcurs Rat Executable
- PlagueBot Executable
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusplaguebotbotnetevasionpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy