orcus | 6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb | Triage

Submit
Reports

Overview

overview

Static

static

6b60666d6a...cb.exe

windows7-x64

6b60666d6a...cb.exe

windows10-2004-x64

Sharing

General

Target

6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb
Size

3.0MB
Sample

240730-bn2r5azhlk
MD5

e2a52f78fc1dc2eb561fd5d77892d642
SHA1

ffe1dd532e08911537d01f51f21c1ce181f4ac71
SHA256

6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb
SHA512

e7f2abf0165735cba2da3e40ac44941135bad31c38f15dae65b66a77d3239487f758c286b95cebc17a13fd27a561804f34104c8d8f42d21ea845b3de16df6c73
SSDEEP

49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus nursultan alfa (prem)credential_access discovery rat spyware stealer

Static task

static1

nursultan alfa (prem)orcus

4 signatures

Behavioral task

behavioral1

Sample

6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb.exe

Resource

win7-20240705-en

orcus nursultan alfa (prem)credential_access discovery rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb.exe

Resource

win10v2004-20240709-en

orcus nursultan alfa (prem)credential_access discovery rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

Nursultan Alfa (prem)

C2

31.44.184.52:15288

Mutex

sudo_3kpsys7y85z4fdhjp3rb8mhbg022ckhz

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\universalwordpress\flowerdb.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Targets

- Target
  
  6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb
- Size
  
  3.0MB
- MD5
  
  e2a52f78fc1dc2eb561fd5d77892d642
- SHA1
  
  ffe1dd532e08911537d01f51f21c1ce181f4ac71
- SHA256
  
  6b60666d6ace3a450d54fe7b915c46632172ca0d4127d87873f0c111560e66cb
- SHA512
  
  e7f2abf0165735cba2da3e40ac44941135bad31c38f15dae65b66a77d3239487f758c286b95cebc17a13fd27a561804f34104c8d8f42d21ea845b3de16df6c73
- SSDEEP
  
  49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm
Score

10^/10

orcus nursultan alfa (prem)credential_access discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

nursultan alfa (prem)orcus

behavioral1

orcusnursultan alfa (prem)credential_accessdiscoveryratspywarestealer

behavioral2

orcusnursultan alfa (prem)credential_accessdiscoveryratspywarestealer

© 2018-2024

Terms | Privacy