orcus | 145ef7d4061512fb35174aa38789a7a4f75da2d858e4255855fa602be1e86ae2 | Triage

Submit
Reports

Overview

overview

Static

static

x.exe

windows10-2004-x64

Sharing

General

Target

x.exe
Size

914KB
Sample

240115-bm4v4aeefp
MD5

4a88c81affbad6c8c8d446d992b008b7
SHA1

b60bca9c2a99ee01eee5f18a28debb4b454dc27e
SHA256

145ef7d4061512fb35174aa38789a7a4f75da2d858e4255855fa602be1e86ae2
SHA512

19d254e427319c328a3e574bf27cc06867e0852ab24310f38551673080da7ce52cafc7326f9220121291341b1da5af6a0365f0ed255ffdcacea0f9ff61699ac3
SSDEEP

24576:ycI4MROxnFD3jEsYxrZlI0AilFEvxHiCX:ycrMiJWrZlI0AilFEvxHi

Score

10^/10

orcus x persistence rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

x.exe

Resource

win10v2004-20231215-en

orcus x persistence rat spyware stealer

windows10-2004-x64

16 signatures

1200 seconds

Malware Config

Extracted

Family

orcus

Botnet

x

C2

147.185.221.17:64220

Mutex

ebe58f4f925844dfbb86d949221d923c

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
90734242
taskscheduler_taskname
DLL
watchdog_path
Temp\System.exe

Targets

- Target
  
  x.exe
- Size
  
  914KB
- MD5
  
  4a88c81affbad6c8c8d446d992b008b7
- SHA1
  
  b60bca9c2a99ee01eee5f18a28debb4b454dc27e
- SHA256
  
  145ef7d4061512fb35174aa38789a7a4f75da2d858e4255855fa602be1e86ae2
- SHA512
  
  19d254e427319c328a3e574bf27cc06867e0852ab24310f38551673080da7ce52cafc7326f9220121291341b1da5af6a0365f0ed255ffdcacea0f9ff61699ac3
- SSDEEP
  
  24576:ycI4MROxnFD3jEsYxrZlI0AilFEvxHiCX:ycrMiJWrZlI0AilFEvxHi
Score

10^/10

orcus x persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

orcusxpersistenceratspywarestealer

© 2018-2024

Terms | Privacy