orcus

Sharing

Copy URL

Twitter E-mail

General

Target

BlitzedGrabberX96.zip
Size

5.7MB
Sample

240507-a8p4dsba6w
MD5

ee64a0b68d67da34ac76c56b2c66d4ba
SHA1

ecff5c05e9b6ba69bcc79994fe6aaf2a4721a103
SHA256

471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9
SHA512

98be317b5535464d377ac522428472381f45fb9c2329059c565c18e52fb82a52a2dad91ab85a88dd6669bce340f8b87312d7e41d66b7d0f71429702c922d2fb1
SSDEEP

98304:+du79TVRun1hrRp4RAGzh8e5k1hH+QE20CMlSoe0mMfg+MWYJmvj5luj:AW9pIbRch/NQE20drg9WYJ+uj

Score

10^/10

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

690c4574d03b45e4b89aa16b415b7baf

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\Plugins\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
svchost
watchdog_path
AppData\svchost.exe

Targets

- Target
  
  BlitzedGrabberX96.zip
- Size
  
  5.7MB
- MD5
  
  ee64a0b68d67da34ac76c56b2c66d4ba
- SHA1
  
  ecff5c05e9b6ba69bcc79994fe6aaf2a4721a103
- SHA256
  
  471b1264bcc332dcfa69187ff322df257d039bc2503765fec497b3b5fdbda0e9
- SHA512
  
  98be317b5535464d377ac522428472381f45fb9c2329059c565c18e52fb82a52a2dad91ab85a88dd6669bce340f8b87312d7e41d66b7d0f71429702c922d2fb1
- SSDEEP
  
  98304:+du79TVRun1hrRp4RAGzh8e5k1hH+QE20CMlSoe0mMfg+MWYJmvj5luj:AW9pIbRch/NQE20drg9WYJ+uj
Score

10^/10

orcus agilenet execution persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  BlitzedGrabberX96/Bin/APIFOR.DLL
- Size
  
  13KB
- MD5
  
  91b4d211faddb0ebc64fb000d75d96c1
- SHA1
  
  ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c
- SHA256
  
  e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de
- SHA512
  
  3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919
- SSDEEP
  
  192:NVjzYtxJYPX7OdfdnHpZt8kit/2Y3ciPYEC3qHa:NVgbkXK5NHpZikit/NYE4qHa
Score

1^/10
behavioral3 behavioral4
- Target
  
  BlitzedGrabberX96/Bin/BouncyCastle.Crypto.dll
- Size
  
  3.2MB
- MD5
  
  9fe1a31fdc7b67f5480e936d359ef6c3
- SHA1
  
  576269a42c0991e90f5e83c8205eb808d7b4d3ba
- SHA256
  
  f42b8609854d80d7f81f276340504aa5e82bbe4d73d05080fef1fcca2444b4d5
- SHA512
  
  7b7cae9fc0afccee7533971f97af11e5dedb54775bbfe45ad94b82bfda6122e65fb378bd27b2390bfe45af89438dbb550171f6939febcf742034a405b49339a7
- SSDEEP
  
  49152:C50b59Aj1ZLCpTT2TzAOeJ+KaGxHIkMNqo5wW0DlI6eujzc3:y0b3AjaFZE5WIR3
Score

1^/10
behavioral5 behavioral6
- Target
  
  BlitzedGrabberX96/Bin/Leaf.xNet.dll
- Size
  
  129KB
- MD5
  
  ea87f37e78fb9af4bf805f6e958f68f4
- SHA1
  
  89662fed195d7b9d65ab7ba8605a3cd953f2b06a
- SHA256
  
  de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa
- SHA512
  
  c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a
- SSDEEP
  
  3072:gE3OJDHIfFLlL3pPiqhcLS/oZhttaMBM2cid:gHWZxJiqO
Score

1^/10
behavioral7 behavioral8
- Target
  
  BlitzedGrabberX96/Bin/Microsoft.CSharp.dll
- Size
  
  474KB
- MD5
  
  4ebd5b96d2f428e854f11393e80f3354
- SHA1
  
  7241b4e311e870c2bd3c9683df984cb348345dc8
- SHA256
  
  f781fc033428de7ba16ee583068d55c050a40a70ca9539c50ae2db61bf83e161
- SHA512
  
  c8c9d85e20b23c4eb7b182e504f64bb9064505bc6dbd0a41b63203151361da35cb78b827a19da803988431d4359bd0a0fafd6061387570ba0ec06597c3d94f8c
- SSDEEP
  
  12288:dsBGGf0LkNH70k7hOP7COtGfVH7+WcZieoZSW:dsQGf0LkNVuCOtGfVH7+lZgp
Score

1^/10
behavioral10 behavioral9
- Target
  
  BlitzedGrabberX96/Bin/Newtonsoft.Json.dll
- Size
  
  558KB
- MD5
  
  6355cbc2e2fc439d10b093d2e1fb0f44
- SHA1
  
  3502e1e607e640d53a466ea00cf718354339b8eb
- SHA256
  
  87837943df8c9ed8a759125a5a57dd2d237a2c5eceb742c4353b93d7143b784e
- SHA512
  
  f23ac7b9f948e5c04e5dd6cb7d85165305baa7bef554830bd742e221aca359f5bfb0dece893a8128a6174539a9f32a1070701dd388083e2bbebc4002ed6b0861
- SSDEEP
  
  6144:ndQGX+WzjrOtIldGE1PJCbQ2fT1934zGt2JPyXVo+pyQBnvsJ0unNOqgLXPBl2pa:xX+wrlJyfr2JPTpppURrR1lBNARq
Score

1^/10
behavioral11 behavioral12
- Target
  
  BlitzedGrabberX96/Bin/System.Security.Cryptography.ProtectedData.dll
- Size
  
  20KB
- MD5
  
  538fee2001d33945a4c4621505e27ad5
- SHA1
  
  6be51b5c32306b258269a06ebb5ecd2cbb88b12a
- SHA256
  
  d186453eebba21e19a90e4fea16c11c3df59ed9610201c5a3c6d636b9864d840
- SHA512
  
  d277c6505b10cc68e52c9de269481601378c7286116d99fb9607dff38f51e21b29891158a5b2745b3b932afa30a6eb8e1140879192cf2bae7a6baec9c10052cc
- SSDEEP
  
  384:d2T2+pBUsxheHWAb6jDWL/uPHRN7N61wQmDWlBY9Ym:d2TD7hbkMQO1Ht
Score

1^/10
behavioral13 behavioral14
- Target
  
  BlitzedGrabberX96/Bin/UltraEmbeddable.exe
- Size
  
  465KB
- MD5
  
  b6b77d0798d39d7fadd69784c4e47c30
- SHA1
  
  967af699bd9e0f2f20b0743323e5cdd6c3767ea2
- SHA256
  
  e5c9880090d757207a5cd373f5e1d20c42d7486c742b3a30a2ee741a7aef5ef8
- SHA512
  
  5140dcebbeb53c8e74364de824d78d6c5fddcfa08f0ac38ff0d898e71bf4f8630f3b529571a7f64be00981e83af7f85a9b6665aedfaf7f0720995fae8a8e28d6
- SSDEEP
  
  12288:MXUNgkAIMflOWTUpGY5ObqRKd6G2nHVxxd/2KO:QUNdJMNOWTUQveYd6fHnxsKO
Score

3^/10
behavioral15 behavioral16
- Target
  
  BlitzedGrabberX96/Bin/leaf.exe
- Size
  
  18KB
- MD5
  
  2a62b2d78f2c0f2efd39f07641d231e1
- SHA1
  
  30e17f27edb951a306fd907e37aacc170bf3c7be
- SHA256
  
  b4b1dd5fc206b0089ca1e7d613d6475a9a06bbcf4c207830d7c0cf02a94ae79a
- SHA512
  
  4246bb79753f803aaeef24ec6bb9f5ec23859f2cc24d3cfb58c901722cd089b98cf8a2eae6763d18f1a2a330f71887aa8dfbfbd2bb92865680c2f1135a371ca5
- SSDEEP
  
  384:F4DIh6WG5tV+xSjdto26g2S0olp6NaUkBq2CimESaz+kz:6DIhK3gG/6rsYjEJSkz
Score

7^/10
- Drops startup file
behavioral17 behavioral18
- Target
  
  BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
- Size
  
  922.0MB
- MD5
  
  579579c7f692ec28c4b198f6dd30f372
- SHA1
  
  5eeeaf129ba78eec60d3a5cdb16d3d31eeb4a015
- SHA256
  
  245806b93b9d8c782086ddd542a45e3f8920031ef450335c18fe2402b963b365
- SHA512
  
  18ff96211d56d076c3b1ee29d18591cdc483761ddf0284dba26a6751d91db595d65500c0d3a5a92cc3c1512c53dad42fc8ee6d9d0a4b51a1789453c7eaecb31c
- SSDEEP
  
  49152:p9sij7wmgm0JRjaXUVPJUdDrAZY6DQAJE8lIZCmT3KxX9xtARkN2AWUoWHF08xGw:Mij7wgEVPJU+ZHDPtqn3QjtAFIFKIz
Score

10^/10

orcus agilenet execution persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  BlitzedGrabberX96/How To Install.txt
- Size
  
  2KB
- MD5
  
  2695d05b7df345b8bc31c631b8b46492
- SHA1
  
  c85b52d017bc717b55ce9922727a05404a27ca74
- SHA256
  
  d473fb1f133da373c0f53cba34f092bfeee496c361a4c3dae2a54fd581abbcde
- SHA512
  
  53e378721f50abdaa491d9c09bef893c02124a0b5c051decf0f04e5856b188483717b12b3edd2e765049e651514c8aac41808e3fc77e80b0cf6e0ae5c422b43e
Score

1^/10
behavioral21 behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops startup file

Orcus

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22