orcus | 1d2bd211b2cb977bbb59c139387096ab73e1496eb5f6ad1237d8fe7878124872 | Triage

Sharing

General

Target

Rc7-Cracked.zip
Size

4.9MB
Sample

240723-j5nktswdme
MD5

9605ddef6446ab7108378f4dbe737909
SHA1

55bf0a1e7fdc3d3207557a26bdaf3b97b20d294b
SHA256

1d2bd211b2cb977bbb59c139387096ab73e1496eb5f6ad1237d8fe7878124872
SHA512

c1b2e5ee1f59efee0c7fe085d0b6f433aefe8562d11520d411dfe6dcc1720160b0fb87b97dbb82b5e684609e5c2094bdc33a455a8706670cf36607628ff73506
SSDEEP

98304:/HdQSqS2hHDypUVSBjlGZTqP+eRDaolDmAhOiV170HM3kP2/wJzFi5e:VTmAuVqwZTMlRjlDd0iVV0s3b0oE

Score

10^/10

orcus persistence rat spyware stealer vmprotect

Malware Config

Extracted

Family

orcus

C2

wowthatsagoodmeme.ddns.net:10134

Mutex

4be6c8113962424a916b8095b89af0c9

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\WlNDOWS DEFENDER\UPDATER.exe
reconnect_delay
10000
registry_keyname
Wlndows Defender
taskscheduler_taskname
Orcus
watchdog_path
AppData\%appdata%/WlNDOWS DEFENDER/WlNDOWS DEFENDER UPDATER.exe

Targets

- Target
  
  Rc7 - Cracked/Rc7- Cracked by Roque Exploitzz.exe
- Size
  
  907KB
- MD5
  
  5668bd983341f9ffd4726d887090b64c
- SHA1
  
  1a150545d2fb65240101f9466b1043269b379f25
- SHA256
  
  afb1bf7f37ba0ff0ccd8fa29c7089abc4975fef56155ab9f3c1535fea70b1f0d
- SHA512
  
  0dcb2b2a1c2ee10c3b3727e3cfde698ec339569003bc3e18a6b76de65e7497080799d2e52fae234cb4e5ab518a296bf0d4f2f350f0571a1b39bc8b3e584c6ed1
- SSDEEP
  
  24576:nhv4MROxnFj3IrkxrrcI0AilFEvxHPyooT:nKMi1UqrrcI0AilFEvxHP
Score

10^/10

orcus persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Rc7 - Cracked/Rc7.dll
- Size
  
  4.6MB
- MD5
  
  882d31a38dbc169e51395f71f0eff5f1
- SHA1
  
  0740b7158f86b98c45738b6b325e42a7f106fedf
- SHA256
  
  1ca54533be8464d8a2275bf252cd619ee2c1d80f2023125b180af3aaaa8f64d6
- SHA512
  
  6b7d80d3b26199a33c0d095e95792af88fef9a218bca853f009e4646297981f75ee54e99d54cc9b1530aa75978e8e6edd6d71386d7a20b8525690c4c13cb6c37
- SSDEEP
  
  98304:lVQx8t9hlqVUZWNP9GJ3yL0wNHEmNL+MLOYTJh03QBEx+:lwSZ2YJ3ENNVNLJSYTj0g2x
Score

1^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcuspersistenceratspywarestealer

behavioral2

orcuspersistenceratspywarestealer

behavioral3

behavioral4