orcus

General

Target

5ccf3a06eeaa035c5b4b60f44e7820692c015208d62e415a3c224c009edde3df
Size

3.2MB
Sample

240726-bel1bawfjr
MD5

90cd2e9c676fc284584653b5d4f95126
SHA1

4e1a138d45e7833d1eb4205606cdd7f4508bce5c
SHA256

5ccf3a06eeaa035c5b4b60f44e7820692c015208d62e415a3c224c009edde3df
SHA512

57166446c7743344914d2c1e089e066bc0ddddc29cb8e64e801f01c63f6287d524a3778a7d67070779e90ad31e7b0675f081dafbd32b34aa407e20706885a146
SSDEEP

49152:oGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:oLHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

Malware Config

Extracted

Family

orcus

Botnet

FunPay

C2

31.44.184.52:44657

Mutex

sudo_vm3jypee5e4wpgyaqsjreb4akskikm0b

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\privategamebase\Discord.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Targets

- Target
  
  5ccf3a06eeaa035c5b4b60f44e7820692c015208d62e415a3c224c009edde3df
- Size
  
  3.2MB
- MD5
  
  90cd2e9c676fc284584653b5d4f95126
- SHA1
  
  4e1a138d45e7833d1eb4205606cdd7f4508bce5c
- SHA256
  
  5ccf3a06eeaa035c5b4b60f44e7820692c015208d62e415a3c224c009edde3df
- SHA512
  
  57166446c7743344914d2c1e089e066bc0ddddc29cb8e64e801f01c63f6287d524a3778a7d67070779e90ad31e7b0675f081dafbd32b34aa407e20706885a146
- SSDEEP
  
  49152:oGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:oLHTPJg8z1mKnypSbRxo9JCm
Score

10^/10

orcus funpay credential_access discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2