orcus | b0becdf1d3ad227e48899ad25cbdc47d9b9c5bcf7f88af92822197a769380db5 | Triage

Submit
Reports

Overview

overview

Static

static

3

1b216f695d...18.exe

windows7-x64

1b216f695d...18.exe

windows10-2004-x64

Sharing

General

Target

1b216f695dfb650511fe4022727f1388_JaffaCakes118
Size

2.7MB
Sample

240506-gx4kzaee96
MD5

1b216f695dfb650511fe4022727f1388
SHA1

0f14d33fa6932bd073eba159689bc0e6c93d09be
SHA256

b0becdf1d3ad227e48899ad25cbdc47d9b9c5bcf7f88af92822197a769380db5
SHA512

03d0bb82771bb12e3e0c1f544153b93003d57ed8037a80b1f91369511f99f7e96408d345821051a655c98cb8c717685ba503390694969cccf1e21369553a3048
SSDEEP

49152:pK+ohlRNJSkTmNN31MwQn7y6mbL08WvcSr:czHIkTmNdY7y/bL7le

Score

10^/10

orcus desk-100618 persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe

Resource

win7-20240221-en

orcus desk-100618 persistence rat spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1b216f695dfb650511fe4022727f1388_JaffaCakes118.exe

Resource

win10v2004-20240419-en

orcus desk-100618 persistence rat spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

DESK-100618

C2

poulty55.chickenkiller.com:9030

Mutex

a386a045d9c842428c74de4ed9645fe9

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10002
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  1b216f695dfb650511fe4022727f1388_JaffaCakes118
- Size
  
  2.7MB
- MD5
  
  1b216f695dfb650511fe4022727f1388
- SHA1
  
  0f14d33fa6932bd073eba159689bc0e6c93d09be
- SHA256
  
  b0becdf1d3ad227e48899ad25cbdc47d9b9c5bcf7f88af92822197a769380db5
- SHA512
  
  03d0bb82771bb12e3e0c1f544153b93003d57ed8037a80b1f91369511f99f7e96408d345821051a655c98cb8c717685ba503390694969cccf1e21369553a3048
- SSDEEP
  
  49152:pK+ohlRNJSkTmNN31MwQn7y6mbL08WvcSr:czHIkTmNdY7y/bL7le
Score

10^/10

orcus desk-100618 persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

orcusdesk-100618persistenceratspywarestealer

behavioral2

orcusdesk-100618persistenceratspywarestealer

© 2018-2024

Terms | Privacy