orcus | 9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336 | Triage

Submit
Reports

Overview

overview

Static

static

9963f8b426...36.exe

windows7-x64

9963f8b426...36.exe

windows10-2004-x64

Sharing

General

Target

9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
Size

914KB
Sample

240423-bxwbpsbb2s
MD5

382b5ec3d08f531a34b67c3d37851f93
SHA1

18fcf2c3f7756b5cc9f43ff41dde700c5326c2a8
SHA256

9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
SHA512

e4b89d38ea971d666c95297872363d855500e1c553bbceb83768137b3b50243423f50b563aefb0c3b18200ffcf3d283e6b2568dcbe68300ffabb78fa8e0a0ce6
SSDEEP

24576:P6A4MROxnFR3aTnXrZlI0AilFEvxHiXv:P6jMijkrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe

Resource

win7-20240221-en

orcus rat spyware stealer

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336.exe

Resource

win10v2004-20240412-en

orcus rat spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

178.20.45.159:7777

Mutex

0987a51eb44e4803863e149ff474a3f6

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%appdata%\Discord\Telegram.exe
reconnect_delay
10000
registry_keyname
tg
taskscheduler_taskname
tg
watchdog_path
Temp\Telegram.exe

Targets

- Target
  
  9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
- Size
  
  914KB
- MD5
  
  382b5ec3d08f531a34b67c3d37851f93
- SHA1
  
  18fcf2c3f7756b5cc9f43ff41dde700c5326c2a8
- SHA256
  
  9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
- SHA512
  
  e4b89d38ea971d666c95297872363d855500e1c553bbceb83768137b3b50243423f50b563aefb0c3b18200ffcf3d283e6b2568dcbe68300ffabb78fa8e0a0ce6
- SSDEEP
  
  24576:P6A4MROxnFR3aTnXrZlI0AilFEvxHiXv:P6jMijkrZlI0AilFEvxHi
Score

10^/10

orcus rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusratspywarestealer

behavioral2

orcusratspywarestealer

© 2018-2025

Terms | Privacy