orcus

General

Target

java.exe
Size

912KB
Sample

240720-vgqaaswarm
MD5

ded3e760ff8be2ba3644390356a06ecc
SHA1

bf35f9633107ec72a57157f24c4f080ed9203dd6
SHA256

8fe37b9605617ca26443064f74eaaf156f43c7ef80deaecdc71eb5688f4cc255
SHA512

11b7d51395a6dd952a231f093b79df87a1de7e62be6d9a8aadf73dc4dd20c8557b636bafd50672cdb06607bfcffe713685f51f218b7679e07177a42ff931bc62
SSDEEP

12288:c0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCjRzUefAUQGYppMku77dG1lFlWu:gOK4MROxnFHVorrcI0AilFEvxHjWQg

Score

10^/10

Malware Config

Extracted

Family

orcus

C2

0.tcp.eu.ngrok.io:10019

Mutex

a6fa2ae42e784c859e6a44e0e55cd75b

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  java.exe
- Size
  
  912KB
- MD5
  
  ded3e760ff8be2ba3644390356a06ecc
- SHA1
  
  bf35f9633107ec72a57157f24c4f080ed9203dd6
- SHA256
  
  8fe37b9605617ca26443064f74eaaf156f43c7ef80deaecdc71eb5688f4cc255
- SHA512
  
  11b7d51395a6dd952a231f093b79df87a1de7e62be6d9a8aadf73dc4dd20c8557b636bafd50672cdb06607bfcffe713685f51f218b7679e07177a42ff931bc62
- SSDEEP
  
  12288:c0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCjRzUefAUQGYppMku77dG1lFlWu:gOK4MROxnFHVorrcI0AilFEvxHjWQg
Score

10^/10

orcus rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Deletes itself
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcurs Rat Executable

Deletes itself

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4