orcus | 82f9c67cd58d44f75132c933b260fffa0810190781dfe9ad1e5bd2cc6d769b2a | Triage

Submit
Reports

Overview

overview

Static

static

SpooferBeta.exe

windows7-x64

SpooferBeta.exe

windows10-2004-x64

Sharing

General

Target

SpooferBeta.rar
Size

578KB
Sample

230327-hzrjvsec4v
MD5

b081c9a709d2ec92964c6c30dbc620ab
SHA1

ac5cbe059fefb09d63863b9d7b6da609a9db6449
SHA256

82f9c67cd58d44f75132c933b260fffa0810190781dfe9ad1e5bd2cc6d769b2a
SHA512

769e2f5292b0c71b9c9b3309f1407cb42bc8cdb918da19ec7b252451753c60b1cc7dda445b9806c80de74c335778ee6668790d274a8786091387c16a8591509b
SSDEEP

12288:R/ZXr081ZqJeQHahLdECnp2md3rKD1xALrsLI4k0VgNOWTlk6odJ0wI7:A87qY0GLvp2w7jLrMVGOWTlk6of0wG

Score

10^/10

orcus penis rat spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

SpooferBeta.exe

Resource

win7-20230220-en

orcus penis rat spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

SpooferBeta.exe

Resource

win10v2004-20230220-en

orcus penis rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

penis

C2

37.19.221.138:59263

Mutex

daaa2270cd59478cbf4b5ad981404ee1

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Spoof\Spoofer.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Spoofer
watchdog_path
AppData\SpoofWatchdog.exe

Targets

- Target
  
  SpooferBeta.exe
- Size
  
  919KB
- MD5
  
  114b320ed25589f4170e3bf68eb26404
- SHA1
  
  f6bd7034b40aca6c4666a45fa0acef9869badab1
- SHA256
  
  72cfe058d2067b02d9f93fe478840298e00148c6783e1ba105dc778c50543138
- SHA512
  
  ac66c5b2b54e06b75cfcb407e8b2884be1b2820b97ce5dd4531c0a5e2759f24cd0a85966d4a8a978487c1957974189bbf93a00465ff8051b4a65bac2fff522eb
- SSDEEP
  
  24576:LKa4MROxnFH3uRM47rrcI0AilFEvxHPXoot:LOMihul7rrcI0AilFEvxHP
Score

10^/10

orcus penis rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

orcuspenisratspywarestealer

behavioral2

orcuspenisratspywarestealer

© 2018-2024

Terms | Privacy