orcus | 2100e0c5596f8bf896056a71ed91c8a695198a5b643322cf0eb9f8496a3525e1 | Triage

Submit
Reports

Overview

overview

Static

static

2100e0c559...e1.exe

windows7-x64

2100e0c559...e1.exe

windows10-2004-x64

Sharing

General

Target

2100e0c5596f8bf896056a71ed91c8a695198a5b643322cf0eb9f8496a3525e1
Size

3.0MB
Sample

241212-bg88mazjfj
MD5

83cc0cba6f510ad5eb3142f10019e36b
SHA1

e0f4545ef4c967a8a22a1b4790a88b6fe679446b
SHA256

2100e0c5596f8bf896056a71ed91c8a695198a5b643322cf0eb9f8496a3525e1
SHA512

7a87f2dbb054495a1f91b8bd7c1dd232314d3eca1b3b95798af0eb7518a99bd6f585124e9ac9f1f06c144ed9ce6b9efe5bf674141b83ac177484a786948a81fd
SSDEEP

49152:HwVN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmBWncFf0I74gu3aM:HM0wGGzBjryX82uypSb9ndo9JCm

Score

10^/10

orcus infected discovery persistence rat spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2100e0c5596f8bf896056a71ed91c8a695198a5b643322cf0eb9f8496a3525e1.exe

Resource

win7-20241023-en

orcus infected discovery persistence rat spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

2100e0c5596f8bf896056a71ed91c8a695198a5b643322cf0eb9f8496a3525e1.exe

Resource

win10v2004-20241007-en

orcus infected discovery persistence rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

infected

C2

198.98.58.93:1488

Mutex

03b150025848404291d3303886afa2a3

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\WindowsFirewall\runtime.exe
reconnect_delay
10000
registry_keyname
registry
taskscheduler_taskname
Orcus
watchdog_path
AppData\Windows_Services.exe

Targets

- Target
  
  2100e0c5596f8bf896056a71ed91c8a695198a5b643322cf0eb9f8496a3525e1
- Size
  
  3.0MB
- MD5
  
  83cc0cba6f510ad5eb3142f10019e36b
- SHA1
  
  e0f4545ef4c967a8a22a1b4790a88b6fe679446b
- SHA256
  
  2100e0c5596f8bf896056a71ed91c8a695198a5b643322cf0eb9f8496a3525e1
- SHA512
  
  7a87f2dbb054495a1f91b8bd7c1dd232314d3eca1b3b95798af0eb7518a99bd6f585124e9ac9f1f06c144ed9ce6b9efe5bf674141b83ac177484a786948a81fd
- SSDEEP
  
  49152:HwVN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmBWncFf0I74gu3aM:HM0wGGzBjryX82uypSb9ndo9JCm
Score

10^/10

orcus infected discovery persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusinfecteddiscoverypersistenceratspywarestealer

behavioral2

orcusinfecteddiscoverypersistenceratspywarestealer

© 2018-2025

Terms | Privacy