orcus | 00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

5

00d87c913a...f5.exe

windows7-x64

00d87c913a...f5.exe

windows10-2004-x64

Sharing

General

Target

00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5
Size

2.6MB
Sample

240423-bf16maae98
MD5

fddf433f759f354b7fcffbbb11196661
SHA1

41ec7591ef29b5d855fa85adfecd6eea1bcf259a
SHA256

00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5
SHA512

cb6a969f87c67b4f03b50af305a734add9b4c41048f5b6b4e8988287ac43eecb1821d345d44bd5fc9116cc5b6de0a03d7ad48ef27047435899b5a69d47ecd2b9
SSDEEP

24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxU:Hh+ZkldoPKiYdqd68

Score

10^/10

orcus ligeon rat spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5.exe

Resource

win7-20240221-en

orcus ligeon rat spyware stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5.exe

Resource

win10v2004-20240412-en

orcus ligeon rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5
- Size
  
  2.6MB
- MD5
  
  fddf433f759f354b7fcffbbb11196661
- SHA1
  
  41ec7591ef29b5d855fa85adfecd6eea1bcf259a
- SHA256
  
  00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5
- SHA512
  
  cb6a969f87c67b4f03b50af305a734add9b4c41048f5b6b4e8988287ac43eecb1821d345d44bd5fc9116cc5b6de0a03d7ad48ef27047435899b5a69d47ecd2b9
- SSDEEP
  
  24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxU:Hh+ZkldoPKiYdqd68
Score

10^/10

orcus ligeon rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusligeonratspywarestealer

behavioral2

orcusligeonratspywarestealer

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.