orcus | acccfc2189e8bde1e7566f15bb9b3b0e562570eabb893cac966c297b65c19364 | Triage

Submit
Reports

Overview

overview

Static

static

7

2c49c82f68...18.exe

windows7-x64

2c49c82f68...18.exe

windows10-2004-x64

Sharing

General

Target

2c49c82f684c4d5de26627294556ed5e_JaffaCakes118
Size

1.7MB
Sample

240509-3raxcsdh9x
MD5

2c49c82f684c4d5de26627294556ed5e
SHA1

3df81bf27d88964c7f56d13b6a11e6f2873d065b
SHA256

acccfc2189e8bde1e7566f15bb9b3b0e562570eabb893cac966c297b65c19364
SHA512

950cc7c39b25ea874c9412445459442ac4a9d63fd0578c2a9cc9fd81b74d40d7439f5c304cbb4ee5b91c009f690159dd7947a7a5fcc7aa910bd3b2920cf07419
SSDEEP

49152:Ur9gNGKXYe/AhPAyTJwbfxlycZ1A5wR/LKbPD1+:UBMd8ub7ycZ1b+b

Score

10^/10

orcus fudserv persistence rat spyware stealer upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2c49c82f684c4d5de26627294556ed5e_JaffaCakes118.exe

Resource

win7-20240508-en

orcus fudserv persistence rat spyware stealer upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

2c49c82f684c4d5de26627294556ed5e_JaffaCakes118.exe

Resource

win10v2004-20240508-en

orcus fudserv persistence rat spyware stealer upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

FudServ

C2

vam0vsem0pizda.ddns.net:1704

Mutex

aa3ea6f245a74b669a769243c6a90de7

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  2c49c82f684c4d5de26627294556ed5e_JaffaCakes118
- Size
  
  1.7MB
- MD5
  
  2c49c82f684c4d5de26627294556ed5e
- SHA1
  
  3df81bf27d88964c7f56d13b6a11e6f2873d065b
- SHA256
  
  acccfc2189e8bde1e7566f15bb9b3b0e562570eabb893cac966c297b65c19364
- SHA512
  
  950cc7c39b25ea874c9412445459442ac4a9d63fd0578c2a9cc9fd81b74d40d7439f5c304cbb4ee5b91c009f690159dd7947a7a5fcc7aa910bd3b2920cf07419
- SSDEEP
  
  49152:Ur9gNGKXYe/AhPAyTJwbfxlycZ1A5wR/LKbPD1+:UBMd8ub7ycZ1b+b
Score

10^/10

orcus fudserv persistence rat spyware stealer upx
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusfudservpersistenceratspywarestealerupx

behavioral2

orcusfudservpersistenceratspywarestealerupx

© 2018-2025

Terms | Privacy