orcus | eac86f0d431431bfa29cfc4bbe2204c4124bce7c53535d37bed26f50a11d5241 | Triage

Submit
Reports

Overview

overview

Static

static

5280de06cf...89.exe

windows7-x64

5280de06cf...89.exe

windows10-2004-x64

Sharing

General

Target

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.zip
Size

587KB
Sample

230321-r2h5yadd7x
MD5

9b2e3e28488432c4b0485b3ac06e7fd5
SHA1

c3fc54458ab5762a33fb566dbb746fcfda10e6b5
SHA256

eac86f0d431431bfa29cfc4bbe2204c4124bce7c53535d37bed26f50a11d5241
SHA512

cfa9b7aa7c7ed0062e4e51db478efb7d45a151e683c11e96700c8702f4e3bfcafd63dc78eebfb9de33493cc680e2b6b25037f4bdfe98dc394c67a2658ed7ca0a
SSDEEP

12288:lNnP65mrSN0Vl4ATVn/g84Eo4UAwsED0qfJzY18:nni5mrSQlHe4Yj1p

Score

10^/10

orcus persistence rat spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe

Resource

win7-20230220-en

orcus persistence rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe

Resource

win10v2004-20230220-en

orcus persistence rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

4.tcp.eu.ngrok.io:16452

Mutex

1b704d0841c7486288b6ef5dfe82a084

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
Cortana
watchdog_path
AppData\WindowsDefender.exe

Targets

- Target
  
  5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
- Size
  
  905KB
- MD5
  
  4309184cb5cc16c9d398559f0488664d
- SHA1
  
  8e9eab97272652afa19b858a8722488388f68968
- SHA256
  
  5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789
- SHA512
  
  1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e
- SSDEEP
  
  24576:ZVWC4MROxnFj31rkxrrcI0AilFEvxHPNbyooI:ZqMi1JqrrcI0AilFEvxHP
Score

10^/10

orcus persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

orcuspersistenceratspywarestealer

behavioral2

orcuspersistenceratspywarestealer

© 2018-2024

Terms | Privacy