orcus | 3e44b4569dbbf3b77f6bd8d232962f57269aa77d4e42e5906e460474d20bde90 | Triage

Sharing

General

Target

file.exe
Size

4.1MB
Sample

241205-vrdz1stnbv
MD5

8158f2604b140c677599c7e151b01caa
SHA1

86c85b589762df652ef89085ad524cdbe64c6788
SHA256

3e44b4569dbbf3b77f6bd8d232962f57269aa77d4e42e5906e460474d20bde90
SHA512

e9a8411406802d76f58ac938a35a707022c68a8f7d4b00cef8e020815a5990c48c7af0f06bdb1cf4a49c1d5ee21d4a2cff979414d233ae297cbf9f0dbe2d7ee7
SSDEEP

49152:PWhfJr3YyD89qp8eFgu/HrSHDMui9lhH8/07KJOZJcfs5HPsuvBkM+SsAeF92H2M:PeIyTKeFNPHW07KMncfaPs/AL2z5qN

Score

10^/10

orcus discovery evasion persistence rat spyware stealer

Malware Config

Targets

- Target
  
  file.exe
- Size
  
  4.1MB
- MD5
  
  8158f2604b140c677599c7e151b01caa
- SHA1
  
  86c85b589762df652ef89085ad524cdbe64c6788
- SHA256
  
  3e44b4569dbbf3b77f6bd8d232962f57269aa77d4e42e5906e460474d20bde90
- SHA512
  
  e9a8411406802d76f58ac938a35a707022c68a8f7d4b00cef8e020815a5990c48c7af0f06bdb1cf4a49c1d5ee21d4a2cff979414d233ae297cbf9f0dbe2d7ee7
- SSDEEP
  
  49152:PWhfJr3YyD89qp8eFgu/HrSHDMui9lhH8/07KJOZJcfs5HPsuvBkM+SsAeF92H2M:PeIyTKeFNPHW07KMncfaPs/AL2z5qN
Score

10^/10

orcus discovery evasion persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Looks for VirtualBox Guest Additions in registry
  evasion
- Orcurs Rat Executable
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoveryevasionpersistenceratspywarestealer

behavioral2