orcus | 1a740ea5fc256aeac6c2df54d489e502cd2b752c20c09495ff879705f4bf5a0c | Triage

Submit
Reports

Overview

overview

Static

static

7

a9aa350b78...0N.exe

windows7-x64

a9aa350b78...0N.exe

windows10-2004-x64

Sharing

General

Target

a9aa350b786356d7d78279e338ccc590N.exe
Size

7.6MB
Sample

240904-bve7pstdpa
MD5

a9aa350b786356d7d78279e338ccc590
SHA1

248541c0cac6a66ba81dd8573470a15fd6107ddd
SHA256

1a740ea5fc256aeac6c2df54d489e502cd2b752c20c09495ff879705f4bf5a0c
SHA512

c7c4f3412ec0e027f5230b9912a1c2885c075cfc3cd5836ee21be44a93bf81df9afad7dda12274a29e5607f50a1ddb3290462170098dd53b731a4582d8890ef1
SSDEEP

196608:0N/rsm+cw4nWA4e9p9KGOXvFzYJncZfN/rsm+cw9nWA4e9p9KGOXvFzYJncZwh:0N/rsr4nC0PodYJncpN/rsr9nC0PodYt

Score

10^/10

orcus discovery evasion macro persistence rat spyware stealer themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

a9aa350b786356d7d78279e338ccc590N.exe

Resource

win7-20240903-en

orcus discovery evasion macro persistence rat spyware stealer themida trojan

windows7-x64

23 signatures

120 seconds

Behavioral task

behavioral2

Sample

a9aa350b786356d7d78279e338ccc590N.exe

Resource

win10v2004-20240802-en

orcus discovery evasion persistence rat spyware stealer themida trojan

windows10-2004-x64

23 signatures

120 seconds

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:10134

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  a9aa350b786356d7d78279e338ccc590N.exe
- Size
  
  7.6MB
- MD5
  
  a9aa350b786356d7d78279e338ccc590
- SHA1
  
  248541c0cac6a66ba81dd8573470a15fd6107ddd
- SHA256
  
  1a740ea5fc256aeac6c2df54d489e502cd2b752c20c09495ff879705f4bf5a0c
- SHA512
  
  c7c4f3412ec0e027f5230b9912a1c2885c075cfc3cd5836ee21be44a93bf81df9afad7dda12274a29e5607f50a1ddb3290462170098dd53b731a4582d8890ef1
- SSDEEP
  
  196608:0N/rsm+cw4nWA4e9p9KGOXvFzYJncZfN/rsm+cw9nWA4e9p9KGOXvFzYJncZwh:0N/rsr4nC0PodYJncpN/rsr9nC0PodYt
Score

10^/10

orcus discovery evasion macro persistence rat spyware stealer themida trojan
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Orcurs Rat Executable
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoveryevasionmacropersistenceratspywarestealerthemidatrojan

behavioral2

orcusdiscoveryevasionpersistenceratspywarestealerthemidatrojan

© 2018-2025

Terms | Privacy