orcus | be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588 | Triage

Submit
Reports

Overview

overview

Static

static

3

Calculator...xe.exe

windows7-x64

Calculator...xe.exe

windows10-2004-x64

Sharing

General

Target

Calculator14VGAexe.exe
Size

1.7MB
Sample

240109-w4sjlsfefl
MD5

4c969f76c5c1150669e1a54cfa20ed1c
SHA1

037f9b972c732222ba259754f75868caaefd03a3
SHA256

be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588
SHA512

5246dd5f6ee9c747360431bc140779a4d316af51186c6bcc0d6d0f3bb20e633cbdee2296432fd08e4f9234089bbcb5c868e8c9d75b05b523af53c5d34cc3ea15
SSDEEP

49152:ODQxkKWUoI8cQFrqxevo2NdQNBwLPVhF6WT:j2KWUoILC3nQDwrVn6WT

Score

10^/10

orcus tg persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Calculator14VGAexe.exe

Resource

win7-20231215-en

orcus tg persistence rat spyware stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

Calculator14VGAexe.exe

Resource

win10v2004-20231215-en

orcus tg rat spyware stealer

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

tg

C2

10.0.2.15:6969

Mutex

a867e8d19abf423285769fa6d8e47601

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Java8update\updaterjava9.exe
reconnect_delay
10000
registry_keyname
RobloxJavaMaster
taskscheduler_taskname
Orcus
watchdog_path
AppData\RobloxUpdater04.exe

Targets

- Target
  
  Calculator14VGAexe.exe
- Size
  
  1.7MB
- MD5
  
  4c969f76c5c1150669e1a54cfa20ed1c
- SHA1
  
  037f9b972c732222ba259754f75868caaefd03a3
- SHA256
  
  be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588
- SHA512
  
  5246dd5f6ee9c747360431bc140779a4d316af51186c6bcc0d6d0f3bb20e633cbdee2296432fd08e4f9234089bbcb5c868e8c9d75b05b523af53c5d34cc3ea15
- SSDEEP
  
  49152:ODQxkKWUoI8cQFrqxevo2NdQNBwLPVhF6WT:j2KWUoILC3nQDwrVn6WT
Score

10^/10

orcus tg persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

orcustgpersistenceratspywarestealer

behavioral2

orcustgratspywarestealer

© 2018-2024

Terms | Privacy