orcus

General

Target

844723fe8d0dba68effa0969216be3c67133019f720396c47c8f57752d9c014c
Size

3.0MB
Sample

241105-bva8rasckk
MD5

a926645c212cd8d7667b2c0d91421bf8
SHA1

042a63bb3bbdb79d81dc21b9517b213fa16ee9d4
SHA256

844723fe8d0dba68effa0969216be3c67133019f720396c47c8f57752d9c014c
SHA512

8c2557ff2bcd730f4a99306b19a6b05aaa30a2fc74d77a5d2c4f246bc12edb65c8acb270ce7e0016ea1884ddf9f3268403fc60f498fc6fae927d201aaa20e488
SSDEEP

24576:wpP4MROxnFH3yRM4qrrcI0AilFEvxHPcdooV:w2MihylqrrcI0AilFEvxHPc

Score

10^/10

Malware Config

Extracted

Family

orcus

C2

venerra.ddns.net:1604

Mutex

8f144d586f97404d9cf70aca18e3708d

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%windir%/VMP/Protector/VMP Demo.exe
reconnect_delay
10000
registry_keyname
VMP Protect
taskscheduler_taskname
VMP_Protect
watchdog_path
AppData\VMP Https

Targets

- Target
  
  844723fe8d0dba68effa0969216be3c67133019f720396c47c8f57752d9c014c
- Size
  
  3.0MB
- MD5
  
  a926645c212cd8d7667b2c0d91421bf8
- SHA1
  
  042a63bb3bbdb79d81dc21b9517b213fa16ee9d4
- SHA256
  
  844723fe8d0dba68effa0969216be3c67133019f720396c47c8f57752d9c014c
- SHA512
  
  8c2557ff2bcd730f4a99306b19a6b05aaa30a2fc74d77a5d2c4f246bc12edb65c8acb270ce7e0016ea1884ddf9f3268403fc60f498fc6fae927d201aaa20e488
- SSDEEP
  
  24576:wpP4MROxnFH3yRM4qrrcI0AilFEvxHPcdooV:w2MihylqrrcI0AilFEvxHPc
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2