orcus

General

Target

newResultprot.exe
Size

3.3MB
Sample

221123-s4g64aga7w
MD5

3ee4cc4a7fe52761e3cb486a6c2d8e3e
SHA1

c96c9bcdcc57cfc497f4b831398145b307c42b73
SHA256

ece849a1ae5c71db8aaac5ad98d2022e05448083120ff3f1f758c2c020d1d03e
SHA512

848e1a6dde72c3e3bdecdfb9bbe8e8e9d126fed1996a95b0294f18aee19f23c61a0d8a8947294a3a01f587edf37a59df11ce249611effd54832cbad940398515
SSDEEP

98304:F49p/IqTL48s8QLbr4jYgc3TZyd2H+L05kJj9878I:Fm5xzgLQjYg6NsvrGQ

Score

10^/10

Malware Config

Extracted

Family

orcus

Botnet

Isehaaa

C2

graphics-absorption.at.ply.gg:34218

Mutex

0dae1eed35bd43dc93a1d73544aa5ccf

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
C:\Program Files\Java\jdk-19\lib\javaw.exe
reconnect_delay
10000
registry_keyname
javaww
taskscheduler_taskname
javawww
watchdog_path
Temp\Runtime Broker.exe

Targets

- Target
  
  newResultprot.exe
- Size
  
  3.3MB
- MD5
  
  3ee4cc4a7fe52761e3cb486a6c2d8e3e
- SHA1
  
  c96c9bcdcc57cfc497f4b831398145b307c42b73
- SHA256
  
  ece849a1ae5c71db8aaac5ad98d2022e05448083120ff3f1f758c2c020d1d03e
- SHA512
  
  848e1a6dde72c3e3bdecdfb9bbe8e8e9d126fed1996a95b0294f18aee19f23c61a0d8a8947294a3a01f587edf37a59df11ce249611effd54832cbad940398515
- SSDEEP
  
  98304:F49p/IqTL48s8QLbr4jYgc3TZyd2H+L05kJj9878I:Fm5xzgLQjYg6NsvrGQ
Score

10^/10

orcus isehaaa collection persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1