orcus | cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400 | Triage

Submit
Reports

Overview

overview

Static

static

fa8a33fb3b...18.exe

windows7-x64

fa8a33fb3b...18.exe

windows10-2004-x64

Sharing

General

Target

fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118
Size

918KB
Sample

240927-rc5bwaycjh
MD5

fa8a33fb3bda39a4ca3cea2500c635b8
SHA1

47c0e3509a249d0d80716da3afe28b5fe765d225
SHA256

cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400
SHA512

3fc02998288f88ad2b822281830ac328981b42a94ecfef370b67dd4f6f62724eceabadcba635e401a0ddb5dd77011f199c8e4e68b51e3765e3cdaa66177a9c92
SSDEEP

24576:F1I4MROxnFi3WUrUrZlI0AilFEvxHiSRX:F1rMioN4rZlI0AilFEvxHi

Score

10^/10

orcus discovery persistence rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe

Resource

win7-20240903-en

orcus discovery persistence rat spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe

Resource

win10v2004-20240802-en

orcus discovery persistence rat spyware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

87.103.252.59:25565

Mutex

7d661032d74f479fa6fca588ed3ac59f

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Steam\depotcache\SteamWebHelper.exe
reconnect_delay
5000
registry_keyname
Windows
taskscheduler_taskname
Windows
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118
- Size
  
  918KB
- MD5
  
  fa8a33fb3bda39a4ca3cea2500c635b8
- SHA1
  
  47c0e3509a249d0d80716da3afe28b5fe765d225
- SHA256
  
  cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400
- SHA512
  
  3fc02998288f88ad2b822281830ac328981b42a94ecfef370b67dd4f6f62724eceabadcba635e401a0ddb5dd77011f199c8e4e68b51e3765e3cdaa66177a9c92
- SSDEEP
  
  24576:F1I4MROxnFi3WUrUrZlI0AilFEvxHiSRX:F1rMioN4rZlI0AilFEvxHi
Score

10^/10

orcus discovery persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoverypersistenceratspywarestealer

behavioral2

orcusdiscoverypersistenceratspywarestealer

© 2018-2025

Terms | Privacy