orcus | 6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3 | Triage

Sharing

General

Target

6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3.exe
Size

6.9MB
Sample

241204-c64j4sxngs
MD5

5eecc13df41c8e6967f8a3ecb1d0cda9
SHA1

8ac9ce30344f976a09da51da509dee5d2b0e8723
SHA256

6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3
SHA512

24c981ad16a5bc65738127dc27f2c804f4678671a8c13ff60ef2edcf795b8b6d505d121f407514dfbe7853b5d7577299ae30832319d21e83c5c18f5c638382d1
SSDEEP

196608:2ALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:k6fuiPrfZ1RBP60bs25rXQ66WnG

Score

10^/10

orcus ta505 discovery execution persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

45.74.38.211:4782

Mutex

7a9c0f279c464958aebbd585f20f1cf2

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3.exe
- Size
  
  6.9MB
- MD5
  
  5eecc13df41c8e6967f8a3ecb1d0cda9
- SHA1
  
  8ac9ce30344f976a09da51da509dee5d2b0e8723
- SHA256
  
  6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3
- SHA512
  
  24c981ad16a5bc65738127dc27f2c804f4678671a8c13ff60ef2edcf795b8b6d505d121f407514dfbe7853b5d7577299ae30832319d21e83c5c18f5c638382d1
- SSDEEP
  
  196608:2ALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:k6fuiPrfZ1RBP60bs25rXQ66WnG
Score

10^/10

orcus ta505 discovery execution persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Suspicious use of NtCreateUserProcessOtherParentProcess
- TA505
  Cybercrime group active since 2015, responsible for families like Dridex and Locky.
  ta505
- Ta505 family
  ta505
- Orcurs Rat Executable
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusta505discoveryexecutionpersistenceratspywarestealer

behavioral2

orcusta505discoveryexecutionpersistenceratspywarestealer