orcus | 144947ddb462ddbdb8a4f1e3fdca9278e268e5fb918f154897477776676cdf7a | Triage

Submit
Reports

Overview

overview

Static

static

ddad33460b...60.exe

windows7-x64

ddad33460b...60.exe

windows10-2004-x64

Sharing

General

Target

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.zip
Size

587KB
Sample

230321-r2kc1add7z
MD5

32fb004f6f9b11926725fb875479dd8e
SHA1

5443f49e5f111cb7bbd6b7aea6c039e0daa2911a
SHA256

144947ddb462ddbdb8a4f1e3fdca9278e268e5fb918f154897477776676cdf7a
SHA512

d95f77bf685fc6c6668eb25e65ea8b346adfb6440f10b95b6c4e4bc0866acead0744097f3f9a9376cc82a66586c2a9ad793ef5c478048254c386c3ede7cbd643
SSDEEP

12288:XwlXNwE4as62IibxMOv1fVMnHPLi65AuBML2e4z4TXmqYtR:AcEmea51fVKTT5pML2e24jmF

Score

10^/10

orcus persistence rat spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe

Resource

win7-20230220-en

orcus persistence rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe

Resource

win10v2004-20230220-en

orcus persistence rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

4.tcp.eu.ngrok.io:16452

Mutex

1b704d0841c7486288b6ef5dfe82a084

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
Cortana
watchdog_path
AppData\WindowsDefender.exe

Targets

- Target
  
  ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
- Size
  
  905KB
- MD5
  
  184e63d8cc64364cc3878378e56874ec
- SHA1
  
  29b0f6419e8d44ac70f0a8a8e91175b46238d093
- SHA256
  
  ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60
- SHA512
  
  5f8254cdcd387f496ab5c3e6a77552264ead620721f27ef080c5139dacfc923345db030132f54791c64e7ae18b1aec14fbb7cf4a2111e22d8e6b93a40e560e8d
- SSDEEP
  
  24576:9Aw4MROxnFj3IrkxrrcI0AilFEvxHPTToo4:9WMi1UqrrcI0AilFEvxHP
Score

10^/10

orcus persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

orcuspersistenceratspywarestealer

behavioral2

orcuspersistenceratspywarestealer

© 2018-2024

Terms | Privacy