orcus | 79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c | Triage

Submit
Reports

Overview

overview

Static

static

3

eee2282277...18.exe

windows7-x64

eee2282277...18.exe

windows10-2004-x64

Sharing

General

Target

eee2282277e64485627c058793aa65e0_JaffaCakes118
Size

1009KB
Sample

240921-cpmj9szhqq
MD5

eee2282277e64485627c058793aa65e0
SHA1

ed5ae121bf074decf9b7a95214e67874733a5cf2
SHA256

79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c
SHA512

b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b
SSDEEP

24576:74bcdQ5WxQtrU7yHt08EAmAKywxqmJiJW3M1T+:7fdC9WmLF/mcwM1

Score

10^/10

orcus defense_evasion discovery rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

eee2282277e64485627c058793aa65e0_JaffaCakes118.exe

Resource

win7-20240903-en

orcus defense_evasion discovery rat spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

eee2282277e64485627c058793aa65e0_JaffaCakes118.exe

Resource

win10v2004-20240802-en

orcus defense_evasion discovery rat spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

18.221.17.220:1604

Mutex

1141a9276f324b1f8a2d4f8f2fec0ac5

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%temp%\drivers\ac2ftsdgj8m5ms5.exe
reconnect_delay
10000
registry_keyname
steam
taskscheduler_taskname
steam
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  eee2282277e64485627c058793aa65e0_JaffaCakes118
- Size
  
  1009KB
- MD5
  
  eee2282277e64485627c058793aa65e0
- SHA1
  
  ed5ae121bf074decf9b7a95214e67874733a5cf2
- SHA256
  
  79e31aa291777d936bdbd198ebf53f3b7d230972fcf95f92908872aca6bf888c
- SHA512
  
  b5ea27c4b0e14687065c94b72fa3c177fe161a92c15aad7db48a466ea34745fbfd15d7305f022ef322f41169b81df621253ace5d0720d11eb8ccc688a251767b
- SSDEEP
  
  24576:74bcdQ5WxQtrU7yHt08EAmAKywxqmJiJW3M1T+:7fdC9WmLF/mcwM1
Score

10^/10

orcus defense_evasion discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdefense_evasiondiscoveryratspywarestealer

behavioral2

orcusdefense_evasiondiscoveryratspywarestealer

© 2018-2025

Terms | Privacy