orcus | 5b618ba9e3a32f7980196311f12d2d283d9512d1e1a83d9c207d23acbaad018b | Triage

Submit
Reports

Overview

overview

Static

static

5b618ba9e3...8b.exe

windows7-x64

5b618ba9e3...8b.exe

windows10-2004-x64

Sharing

General

Target

5b618ba9e3a32f7980196311f12d2d283d9512d1e1a83d9c207d23acbaad018b
Size

926KB
Sample

241215-bdymqa1ncj
MD5

5d7cfb4bf6a987ed92c77e51f58fde41
SHA1

d75b0c92a09e5fe73df75d1850a4f625a257162f
SHA256

5b618ba9e3a32f7980196311f12d2d283d9512d1e1a83d9c207d23acbaad018b
SHA512

531c5fef50e4aa2220ac9bc0bda328a3348f01fce89c1fe7fb700cd01422f2b3e61335d7b4a1e54ca8abfeb23eb4765491f61aa5af52ff63ed5b19ecec788073
SSDEEP

24576:vIY4MROxnFE38O3VrrcI0AilFEvxHPToox:vaMiuZVrrcI0AilFEvxHP

Score

10^/10

orcus discovery persistence rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

5b618ba9e3a32f7980196311f12d2d283d9512d1e1a83d9c207d23acbaad018b.exe

Resource

win7-20240903-en

orcus discovery persistence rat spyware stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

5b618ba9e3a32f7980196311f12d2d283d9512d1e1a83d9c207d23acbaad018b.exe

Resource

win10v2004-20241007-en

orcus discovery persistence rat spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

tcp.cloudpub.ru:63094

Mutex

f809db9e18254c08a79e8950f3742790

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
Temp\OrcusWatchdog.exe

Targets

- Target
  
  5b618ba9e3a32f7980196311f12d2d283d9512d1e1a83d9c207d23acbaad018b
- Size
  
  926KB
- MD5
  
  5d7cfb4bf6a987ed92c77e51f58fde41
- SHA1
  
  d75b0c92a09e5fe73df75d1850a4f625a257162f
- SHA256
  
  5b618ba9e3a32f7980196311f12d2d283d9512d1e1a83d9c207d23acbaad018b
- SHA512
  
  531c5fef50e4aa2220ac9bc0bda328a3348f01fce89c1fe7fb700cd01422f2b3e61335d7b4a1e54ca8abfeb23eb4765491f61aa5af52ff63ed5b19ecec788073
- SSDEEP
  
  24576:vIY4MROxnFE38O3VrrcI0AilFEvxHPToox:vaMiuZVrrcI0AilFEvxHP
Score

10^/10

orcus discovery persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoverypersistenceratspywarestealer

behavioral2

orcusdiscoverypersistenceratspywarestealer

© 2018-2025

Terms | Privacy