orcus | 16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf | Triage

Submit
Reports

Overview

overview

Static

static

1

2ff47e2334...18.exe

windows7-x64

2ff47e2334...18.exe

windows10-2004-x64

Sharing

General

Target

2ff47e23344149f6b3b458259467d324_JaffaCakes118
Size

1.3MB
Sample

240510-tmw5cseb61
MD5

2ff47e23344149f6b3b458259467d324
SHA1

445166148c135adc96fb0ae6010f0df05844b6ad
SHA256

16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf
SHA512

680e6d5b1f179709942e3341bb369c54344ccde058d55f0a6461c42cdc3937444351bda55dea9537a85a59000e7e5d48f58512411c63f89bf9b9936635197b3a
SSDEEP

24576:TQZb8VCr3+EgexOnNNwiWgpacSpC19qo8Xf+b:W8auGSbwiWgAcSMv8mb

Score

10^/10

orcus desk021320 rat spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe

Resource

win7-20240215-en

orcus desk021320 rat spyware stealer upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe

Resource

win10v2004-20240426-en

orcus desk021320 rat spyware stealer upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

DESK021320

C2

dailyupdates.theworkpc.com:9030

Mutex

0f2edf0cec8246d2a8b4bec33606ed52

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  2ff47e23344149f6b3b458259467d324_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  2ff47e23344149f6b3b458259467d324
- SHA1
  
  445166148c135adc96fb0ae6010f0df05844b6ad
- SHA256
  
  16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf
- SHA512
  
  680e6d5b1f179709942e3341bb369c54344ccde058d55f0a6461c42cdc3937444351bda55dea9537a85a59000e7e5d48f58512411c63f89bf9b9936635197b3a
- SSDEEP
  
  24576:TQZb8VCr3+EgexOnNNwiWgpacSpC19qo8Xf+b:W8auGSbwiWgAcSMv8mb
Score

10^/10

orcus desk021320 rat spyware stealer upx
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

orcusdesk021320ratspywarestealerupx

behavioral2

orcusdesk021320ratspywarestealerupx

© 2018-2025

Terms | Privacy