orcus

Sharing

Copy URL

Twitter E-mail

General

Target

BlitzedGrabberV12.rar
Size

3.6MB
Sample

240505-vzp29aga4w
MD5

4282ce784621bf22365f21260be70e5e
SHA1

3e743738e2ec8cc35d64ebbad99abcfde46eafe3
SHA256

06fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd
SHA512

aa776cfdc39c152814a7e0e6def451454ca30fc4388dec48f3d12b1e50a0ee3925bfd2333700919b52af725cfe7ece93146ba24a9c0d2a6c0d602f7b243b77ec
SSDEEP

98304:8IAP4hcx7zUBj8tz3b/MTraRaUTAdGW3bkzjuYAV2du1hH+QJ:MqcxzKQlL/FvA0ckz542d3QJ

Score

10^/10

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

248d60d8a7114264bce951ca45664b1d

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
winlogon.exe
watchdog_path
AppData\svchost.exe

Targets

- Target
  
  BlitzedGrabberV12.rar
- Size
  
  3.6MB
- MD5
  
  4282ce784621bf22365f21260be70e5e
- SHA1
  
  3e743738e2ec8cc35d64ebbad99abcfde46eafe3
- SHA256
  
  06fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd
- SHA512
  
  aa776cfdc39c152814a7e0e6def451454ca30fc4388dec48f3d12b1e50a0ee3925bfd2333700919b52af725cfe7ece93146ba24a9c0d2a6c0d602f7b243b77ec
- SSDEEP
  
  98304:8IAP4hcx7zUBj8tz3b/MTraRaUTAdGW3bkzjuYAV2du1hH+QJ:MqcxzKQlL/FvA0ckz542d3QJ
Score

10^/10

orcus stormkitty agilenet execution persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Orcurs Rat Executable
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  BlitzedGrabberV12/BlitzedGrabberV12.exe
- Size
  
  926.0MB
- MD5
  
  930b3bbbaa989db448d8ec5c696a5a16
- SHA1
  
  a27e7c76990a31f1414d429e828c81e14f48a00a
- SHA256
  
  eacf04d721fe4880dc73790ccbd58acf310dc0c90b13b7424200a9aa2b94640a
- SHA512
  
  cb9dc7db9f4a4c0dc5407d0a9bbd5c1301d5c4d03fed7d6b972c61a816c8860aff072f1515189d21b3336448a7c19d99f636cc3b060e4628c2ef7dbd1e75291a
- SSDEEP
  
  49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK
Score

10^/10

orcus agilenet execution persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  BlitzedGrabberV12/README.txt
- Size
  
  1KB
- MD5
  
  110a464be52a150056f184348f09a6c6
- SHA1
  
  c7516032dbae3d9e3c0342da0bd690318b93be6f
- SHA256
  
  97b778580fd7487beb8062a777a654b718a3b16622d8bcf46594ac9048dd3e6a
- SHA512
  
  04c97df944b110f6c481f2b06b406d7ba5b2b3a6176a2527ae8b9820d925a341fd106e20dd3694353effa4f623c8eeb3f858de478ebc13fa6c68d6ab04db85cf
Score

1^/10
behavioral5 behavioral6
- Target
  
  BlitzedGrabberV12/Resources/APIFOR.DLL
- Size
  
  13KB
- MD5
  
  91b4d211faddb0ebc64fb000d75d96c1
- SHA1
  
  ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c
- SHA256
  
  e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de
- SHA512
  
  3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919
- SSDEEP
  
  192:NVjzYtxJYPX7OdfdnHpZt8kit/2Y3ciPYEC3qHa:NVgbkXK5NHpZikit/NYE4qHa
Score

1^/10
behavioral7 behavioral8
- Target
  
  BlitzedGrabberV12/Resources/BouncyCastle.Crypto.dll
- Size
  
  2.5MB
- MD5
  
  3551343fab213740bbb022e3a6dcf27b
- SHA1
  
  de67fb4f9d58db4a860a703c8d1f54ff00ff9b1f
- SHA256
  
  5530dff976bc0c889076b97ca695bdb97ef07f63449d32f893ed32398ed8bfe6
- SHA512
  
  e90f51053e1d4b0ea1f7458229de92174abf0781c766290da4de5cc8dfcfb730998252bf28b36ca5070978fdcea8b97f0aea6a47b875dd34173643ac0cb46c42
- SSDEEP
  
  49152:3CTzhVM0AU5d3UOhq8hmReOUJfd5T3D+VTQlgQeCKbu9kQLO0:GwU5d3vhzhmoOmfd5rqX0
Score

1^/10
behavioral10 behavioral9
- Target
  
  BlitzedGrabberV12/Resources/Newtonsoft.Json.dll
- Size
  
  492KB
- MD5
  
  5e02ddaf3b02e43e532fc6a52b04d14b
- SHA1
  
  67f0bd5cfa3824860626b6b3fff37dc89e305cec
- SHA256
  
  78bedd9fce877a71a8d8ff9a813662d8248361e46705c4ef7afc61d440ff2eeb
- SHA512
  
  38720cacbb169dfc448deef86af973eafefa19eaeb48c55c58091c9d6a8b12a1f90148c287faaaa01326ec47143969ad1b54ee2b81018e1de0b83350dc418d1c
- SSDEEP
  
  12288:axrplPT3qwNBC3wl1zVh0Yg0pJy/qleTpfZLQ0so/VHjh:a1plPGwNBC3UOwVeLQ0so/VH
Score

1^/10
behavioral11 behavioral12
- Target
  
  BlitzedGrabberV12/Resources/UltraEmbeddable.exe
- Size
  
  465KB
- MD5
  
  b6b77d0798d39d7fadd69784c4e47c30
- SHA1
  
  967af699bd9e0f2f20b0743323e5cdd6c3767ea2
- SHA256
  
  e5c9880090d757207a5cd373f5e1d20c42d7486c742b3a30a2ee741a7aef5ef8
- SHA512
  
  5140dcebbeb53c8e74364de824d78d6c5fddcfa08f0ac38ff0d898e71bf4f8630f3b529571a7f64be00981e83af7f85a9b6665aedfaf7f0720995fae8a8e28d6
- SSDEEP
  
  12288:MXUNgkAIMflOWTUpGY5ObqRKd6G2nHVxxd/2KO:QUNdJMNOWTUQveYd6fHnxsKO
Score

3^/10
behavioral13 behavioral14
- Target
  
  BlitzedGrabberV12/Resources/ww.exe
- Size
  
  59KB
- MD5
  
  21d2cd5e50a4fea2868725cbf2bd43dd
- SHA1
  
  2eede1b89427f9cf5b9c144f9ab2cac79439e029
- SHA256
  
  809236959232884def77d8da2aa283a8ad4c77824932cd06a4188a21a6581bc3
- SHA512
  
  1eacde6ef8c47fe8f6b1d6b8479453fbddd4531fb4dc3bec83eaaa261b5ae3ed963c6d862b4e92862aefa4bc069c5a190390df6edfdfded69e0778651c1bfca8
- SSDEEP
  
  768:bv8q4lFep7sfOCROyzDxEQK76Yt5Qb7jTIajt9K0fZOv11yL6N9gE5WHpGV:Dt4lffROyzECZ41yLg9gEgJS
Score

10^/10

stormkitty spyware stealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  BlitzedGrabberV12/Resources/yhyty5.exe
- Size
  
  59KB
- MD5
  
  9b1283f4b90fa0009ea6fda13596a584
- SHA1
  
  1daa7ccfddc6da823c2fadb7b821a9e26efebabe
- SHA256
  
  4e3ff2595fc8b32fb44856e856b6d91600fd6a66ab556bc2437a926bf7c8fdb0
- SHA512
  
  ca6d46254da5c16f80a3ee4a5d11b7203a025082e8268ba8ff343a6b705262e03c8c149e381ec038b364ebecb8a5ab4169e6e5fb3676d90abe37aecf468d1ecb
- SSDEEP
  
  768:uvlq4ltFkHOCROyDZSCY6LaIdB4b2iuAPGdX3oI0fZOv11cEL6N9Q5WEpGl:I84l4XROyDL3AEo41BLg9Qg6y
Score

10^/10

stormkitty spyware stealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
behavioral17 behavioral18

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus main payload

StormKitty

StormKitty payload

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Orcus

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

StormKitty

StormKitty payload

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

StormKitty

StormKitty payload

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18