orcus | 1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860 | Triage

Sharing

General

Target

1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860
Size

3.0MB
Sample

241107-byncgssgmr
MD5

5061282fe58821440585f7bbb1708423
SHA1

f64e5554bd39d34f872f9e74bef2b6bdcdb5541d
SHA256

1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860
SHA512

3ad7f99cba8fded3c1be9c3ee3611308915eedaea18ec9c02b7ef245d2cd4bb7caab8cb15f50db00f64eb4c6c2ac180feeb7fc5d4f91caab0943c2e1fbb3d61d
SSDEEP

49152:Y02N8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmFWncFf0I74gu3tM:Yd0wGGzBjryX82uypSb9ndo9JCm

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.50.155:10134

Mutex

5c4ed961518e4098bff05128f1a5b804

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\sistem\sistem.exe
reconnect_delay
10000
registry_keyname
sistem
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860
- Size
  
  3.0MB
- MD5
  
  5061282fe58821440585f7bbb1708423
- SHA1
  
  f64e5554bd39d34f872f9e74bef2b6bdcdb5541d
- SHA256
  
  1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860
- SHA512
  
  3ad7f99cba8fded3c1be9c3ee3611308915eedaea18ec9c02b7ef245d2cd4bb7caab8cb15f50db00f64eb4c6c2ac180feeb7fc5d4f91caab0943c2e1fbb3d61d
- SSDEEP
  
  49152:Y02N8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmFWncFf0I74gu3tM:Yd0wGGzBjryX82uypSb9ndo9JCm
Score

10^/10

orcus persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcuspersistenceratspywarestealer

behavioral2

orcuspersistenceratspywarestealer