orcus | 3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3 | Triage

Submit
Reports

Overview

overview

Static

static

3

838db8ab2f...18.exe

windows7-x64

838db8ab2f...18.exe

windows10-2004-x64

Sharing

General

Target

838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118
Size

1.5MB
Sample

240530-j8cbzacf69
MD5

838db8ab2f771d8012c8a0d9a0a87b10
SHA1

1c1fa9619a53a6931647ff0df64fe15d9902ba83
SHA256

3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3
SHA512

fb52f77b774e0ef4ccea2fe2440e10d2bce218c6df28154d601d8a44fab404b030124655d8b76218ccdf75f2564a0e7589f20c6274580f9b3b01dbb943162d0e
SSDEEP

24576:RoK5MMv0TUoJVRIfLNV8LAv5vkVQ0BL3vrlsW+/O9RIOkT:RoAMM6JVRMV1vhOrrln7g

Score

10^/10

orcus zgrat desk-100618 rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Resource

win7-20240221-en

orcus zgrat desk-100618 rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Resource

win10v2004-20240508-en

orcus zgrat desk-100618 rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

DESK-100618

C2

poulty55.chickenkiller.com:9030

Mutex

a386a045d9c842428c74de4ed9645fe9

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10002
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  838db8ab2f771d8012c8a0d9a0a87b10
- SHA1
  
  1c1fa9619a53a6931647ff0df64fe15d9902ba83
- SHA256
  
  3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3
- SHA512
  
  fb52f77b774e0ef4ccea2fe2440e10d2bce218c6df28154d601d8a44fab404b030124655d8b76218ccdf75f2564a0e7589f20c6274580f9b3b01dbb943162d0e
- SSDEEP
  
  24576:RoK5MMv0TUoJVRIfLNV8LAv5vkVQ0BL3vrlsW+/O9RIOkT:RoAMM6JVRMV1vhOrrln7g
Score

10^/10

orcus zgrat desk-100618 rat spyware stealer
- Detect ZGRat V2
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Orcurs Rat Executable
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

orcuszgratdesk-100618ratspywarestealer

behavioral2

orcuszgratdesk-100618ratspywarestealer

© 2018-2024

Terms | Privacy