orcus | beb9b3be2a4de7f67f80826aadcec76c91d979d08571ff83ee5f6653ca8d25c4 | Triage

Submit
Reports

Overview

overview

Static

static

beb9b3be2a...c4.exe

windows7-x64

beb9b3be2a...c4.exe

windows10-2004-x64

Sharing

General

Target

beb9b3be2a4de7f67f80826aadcec76c91d979d08571ff83ee5f6653ca8d25c4
Size

918KB
Sample

240507-bx49lscd41
MD5

054055eb5b8478398a161bc868ec34b9
SHA1

ffb86d0bfa9b528b460e1cb3e03189cd5986e374
SHA256

beb9b3be2a4de7f67f80826aadcec76c91d979d08571ff83ee5f6653ca8d25c4
SHA512

8ad2206aa1c6bd24754b2a4e380feb2472583a96b25df03778d3b3dd67bf9b62b62a06f7507796778f4264e68b1ab616c0314b89415fa4f002e1f896fd7297ce
SSDEEP

24576:XEu4MROxnFH3TRM4grrcI0AilFEvxHPbooq:XIMihTlgrrcI0AilFEvxHP

Score

10^/10

orcus skidv3 rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

beb9b3be2a4de7f67f80826aadcec76c91d979d08571ff83ee5f6653ca8d25c4.exe

Resource

win7-20240221-en

orcus skidv3 rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

beb9b3be2a4de7f67f80826aadcec76c91d979d08571ff83ee5f6653ca8d25c4.exe

Resource

win10v2004-20240419-en

orcus skidv3 rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

SKIDV3

C2

bigtitties.hopto.org:1604

Mutex

c99184ad8a1a41e3b344d48e60aed638

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%SYSTEMROOT%\Windows\appdata\host\svchost.exe
reconnect_delay
10000
registry_keyname
HKEY_LOCAL_MACHINE\SYSTEM\State\DateTime
taskscheduler_taskname
conhost
watchdog_path
AppData\conhost.exe

Targets

- Target
  
  beb9b3be2a4de7f67f80826aadcec76c91d979d08571ff83ee5f6653ca8d25c4
- Size
  
  918KB
- MD5
  
  054055eb5b8478398a161bc868ec34b9
- SHA1
  
  ffb86d0bfa9b528b460e1cb3e03189cd5986e374
- SHA256
  
  beb9b3be2a4de7f67f80826aadcec76c91d979d08571ff83ee5f6653ca8d25c4
- SHA512
  
  8ad2206aa1c6bd24754b2a4e380feb2472583a96b25df03778d3b3dd67bf9b62b62a06f7507796778f4264e68b1ab616c0314b89415fa4f002e1f896fd7297ce
- SSDEEP
  
  24576:XEu4MROxnFH3TRM4grrcI0AilFEvxHPbooq:XIMihTlgrrcI0AilFEvxHP
Score

10^/10

orcus skidv3 rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusskidv3ratspywarestealer

behavioral2

orcusskidv3ratspywarestealer

© 2018-2025

Terms | Privacy