orcus | 6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3 | Triage

Submit
Reports

Overview

overview

Static

static

3

File.exe

windows7-x64

File.exe

windows10-2004-x64

Sharing

General

Target

File.exe
Size

6.9MB
Sample

241203-ry56asyraw
MD5

5eecc13df41c8e6967f8a3ecb1d0cda9
SHA1

8ac9ce30344f976a09da51da509dee5d2b0e8723
SHA256

6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3
SHA512

24c981ad16a5bc65738127dc27f2c804f4678671a8c13ff60ef2edcf795b8b6d505d121f407514dfbe7853b5d7577299ae30832319d21e83c5c18f5c638382d1
SSDEEP

196608:2ALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:k6fuiPrfZ1RBP60bs25rXQ66WnG

Score

10^/10

orcus discovery rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

File.exe

Resource

win7-20240903-en

orcus discovery rat spyware stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

File.exe

Resource

win10v2004-20241007-en

orcus discovery rat spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

45.74.38.211:4782

Mutex

7a9c0f279c464958aebbd585f20f1cf2

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  File.exe
- Size
  
  6.9MB
- MD5
  
  5eecc13df41c8e6967f8a3ecb1d0cda9
- SHA1
  
  8ac9ce30344f976a09da51da509dee5d2b0e8723
- SHA256
  
  6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3
- SHA512
  
  24c981ad16a5bc65738127dc27f2c804f4678671a8c13ff60ef2edcf795b8b6d505d121f407514dfbe7853b5d7577299ae30832319d21e83c5c18f5c638382d1
- SSDEEP
  
  196608:2ALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:k6fuiPrfZ1RBP60bs25rXQ66WnG
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoveryratspywarestealer

behavioral2

orcusdiscoveryratspywarestealer

© 2018-2024

Terms | Privacy