orcus

General

Target

a15b51fb441f08f3fce60ae2c9e21a99b08daaf83aa0945f9736415da2e70f8e
Size

904KB
Sample

241112-cckj5svnck
MD5

06085978cd81457dc5ecbed3cff9f61c
SHA1

66aae4ed1eeb563a6100a42a8734733bb6d68665
SHA256

a15b51fb441f08f3fce60ae2c9e21a99b08daaf83aa0945f9736415da2e70f8e
SHA512

9e9e3d01fe2540b845f9a965753a47d8780c2f95eaa16f3d7c9832452e168876eb72b5933ddf0cb2e5474c9370957557ad50c0809d34fe012ddf2901cb5158d0
SSDEEP

24576:IAi4MROxnFHOVrrcI0AilFEvxHPPcooN:IgMiJ8rrcI0AilFEvxHP

Score

10^/10

Malware Config

Extracted

Family

orcus

C2

b7fscoc.localto.net:8763

Mutex

cf06369f7b98472f97643448b3df76ba

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\Roaming\am1\RuntimeBroker.exe
reconnect_delay
10000
registry_keyname
RuntimeBroker
taskscheduler_taskname
RuntimeBroker
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  a15b51fb441f08f3fce60ae2c9e21a99b08daaf83aa0945f9736415da2e70f8e
- Size
  
  904KB
- MD5
  
  06085978cd81457dc5ecbed3cff9f61c
- SHA1
  
  66aae4ed1eeb563a6100a42a8734733bb6d68665
- SHA256
  
  a15b51fb441f08f3fce60ae2c9e21a99b08daaf83aa0945f9736415da2e70f8e
- SHA512
  
  9e9e3d01fe2540b845f9a965753a47d8780c2f95eaa16f3d7c9832452e168876eb72b5933ddf0cb2e5474c9370957557ad50c0809d34fe012ddf2901cb5158d0
- SSDEEP
  
  24576:IAi4MROxnFHOVrrcI0AilFEvxHPPcooN:IgMiJ8rrcI0AilFEvxHP
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2