orcus | fbcf5a593764f30ac5d20579ff73ee0d09a656d5451417d6d85bd8969a62eb50 | Triage

Submit
Reports

Overview

overview

Static

static

fbcf5a5937...50.exe

windows7-x64

fbcf5a5937...50.exe

windows10-2004-x64

Sharing

General

Target

fbcf5a593764f30ac5d20579ff73ee0d09a656d5451417d6d85bd8969a62eb50
Size

926KB
Sample

240528-bk29gsac39
MD5

89188042a998ec22a6c73fe6dacffaac
SHA1

17bb8265b42ee2965af1e4d006d3b560f5d8850c
SHA256

fbcf5a593764f30ac5d20579ff73ee0d09a656d5451417d6d85bd8969a62eb50
SHA512

838d3bd28ff52e93934c22fb7962d00e0b6f342de72b29b3baef7edef81bd9116393113339153c5c6642c2e1bc9d788af1536d9dd95f24360a5177a6a41c9a72
SSDEEP

24576:VCC4MROxnFE3bO3YrrcI0AilFEvxHP7PooC:VKMiuoYrrcI0AilFEvxHP

Score

10^/10

orcus persistence rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

fbcf5a593764f30ac5d20579ff73ee0d09a656d5451417d6d85bd8969a62eb50.exe

Resource

win7-20240221-en

orcus persistence rat spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

fbcf5a593764f30ac5d20579ff73ee0d09a656d5451417d6d85bd8969a62eb50.exe

Resource

win10v2004-20240508-en

orcus persistence rat spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

live-promotions.gl.at.ply.gg:51701

Mutex

8308403d2e84407bbd17db2f8cf97418

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  fbcf5a593764f30ac5d20579ff73ee0d09a656d5451417d6d85bd8969a62eb50
- Size
  
  926KB
- MD5
  
  89188042a998ec22a6c73fe6dacffaac
- SHA1
  
  17bb8265b42ee2965af1e4d006d3b560f5d8850c
- SHA256
  
  fbcf5a593764f30ac5d20579ff73ee0d09a656d5451417d6d85bd8969a62eb50
- SHA512
  
  838d3bd28ff52e93934c22fb7962d00e0b6f342de72b29b3baef7edef81bd9116393113339153c5c6642c2e1bc9d788af1536d9dd95f24360a5177a6a41c9a72
- SSDEEP
  
  24576:VCC4MROxnFE3bO3YrrcI0AilFEvxHP7PooC:VKMiuoYrrcI0AilFEvxHP
Score

10^/10

orcus persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcuspersistenceratspywarestealer

behavioral2

orcuspersistenceratspywarestealer

© 2018-2025

Terms | Privacy