orcus | 30257f7538c093488cec42025711a59a5d7b9c4a6471bd22e2bedb24e26ba9ba | Triage

Submit
Reports

Overview

overview

Static

static

f5ec9c818e...6e.exe

windows7-x64

f5ec9c818e...6e.exe

windows10-2004-x64

Sharing

General

Target

f5ec9c818e5d515558f479915c1de23c803c55637825c6e8199760180bab866e.zip
Size

595KB
Sample

230321-r2kc1abc95
MD5

9e4c8752263f80b636d1249acd78fc5c
SHA1

0eb826257af21c8ab3855229f91f8ec32911584c
SHA256

30257f7538c093488cec42025711a59a5d7b9c4a6471bd22e2bedb24e26ba9ba
SHA512

4bba3a72f6b31ec13d6f1dfed57b1228919c791be62e40ec89320f399df18dabce576323a62a03fc185a725b21441ff462b2ea65f7199923eff3c3053f89f264
SSDEEP

12288:+vDODY2qr4BiqJXKJUCkIfxFthFxi/Wl2s0XAOE8CVRN8z:KCjMyZXiJfxFHFk/WlQXAOE8au

Score

10^/10

orcus rat spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

f5ec9c818e5d515558f479915c1de23c803c55637825c6e8199760180bab866e.exe

Resource

win7-20230220-en

orcus rat spyware stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

f5ec9c818e5d515558f479915c1de23c803c55637825c6e8199760180bab866e.exe

Resource

win10v2004-20230220-en

orcus rat spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

84.21.172.55:1339

Mutex

5e29a9dc07244cd5b38b6e685c293580

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\Chrome\ChromeUpdateService.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
SmarterScreen
watchdog_path
AppData\WindowsToolKit.exe

Targets

- Target
  
  f5ec9c818e5d515558f479915c1de23c803c55637825c6e8199760180bab866e.exe
- Size
  
  916KB
- MD5
  
  1531ddf6b03ab9f7b0c46381210d82ca
- SHA1
  
  53f1566838a6e380e6f83e256ab7aac1e028f39f
- SHA256
  
  f5ec9c818e5d515558f479915c1de23c803c55637825c6e8199760180bab866e
- SHA512
  
  4ea19ccdccfc6532f9a71731df3766cc785d44e8cfabccb624cd99aae14efcb0c2925c9143b699fc6bc7f036c74d41ee476f56df247004a871d006d5e9f5d51e
- SSDEEP
  
  24576:ZVWC4MROxnFD3kw8XlrrcI0AilFEvxHPMrooG:ZqMiJorrcI0AilFEvxHP
Score

10^/10

orcus rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

orcusratspywarestealer

behavioral2

orcusratspywarestealer

© 2018-2024

Terms | Privacy