orcus

General

Target

tmp
Size

3.0MB
Sample

230218-xr2r7adb86
MD5

fd560527411b6fc1dec327027f1b6a51
SHA1

056c4273219177194fa2d4c7cd308470391a4c53
SHA256

4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512

ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
SSDEEP

49152:Jsa3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaukrrzI0AilFCvxHI:JjGUu1D1Uj6UnypSbzPo9JCm

Score

10^/10

Malware Config

Extracted

Family

orcus

Botnet

Sln

C2

193.138.195.211:10134

Mutex

eaf050d367294b239fe7db992d6ea4d7

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svc host
watchdog_path
AppData\svchost.exe

Targets

- Target
  
  tmp
- Size
  
  3.0MB
- MD5
  
  fd560527411b6fc1dec327027f1b6a51
- SHA1
  
  056c4273219177194fa2d4c7cd308470391a4c53
- SHA256
  
  4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
- SHA512
  
  ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
- SSDEEP
  
  49152:Jsa3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaukrrzI0AilFCvxHI:JjGUu1D1Uj6UnypSbzPo9JCm
Score

10^/10

orcus stormkitty sln persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Orcurs Rat Executable
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
behavioral1 behavioral2