orcus | c010f24789ecc04d92b1ba71d4633dc39f8eb4cc4a26e6f097b500f0414d4f59 | Triage

Submit
Reports

Overview

overview

Static

static

c010f24789...59.exe

windows7-x64

c010f24789...59.exe

windows10-2004-x64

Sharing

General

Target

c010f24789ecc04d92b1ba71d4633dc39f8eb4cc4a26e6f097b500f0414d4f59
Size

924KB
Sample

241224-bkjr5sxmdv
MD5

995bb10dc32aab55bcf4a5da69556b92
SHA1

6fa508312c4304cd0fda75440244e7829ddb0f85
SHA256

c010f24789ecc04d92b1ba71d4633dc39f8eb4cc4a26e6f097b500f0414d4f59
SHA512

b71eeed4f4873cac3064751c7afaa78c3b99c9190dd7df38078ae0fb77d308386b1b82da44373cb0757cd87de4606abe883b4296e708e873e70a5288c47f52de
SSDEEP

24576:p3d4MROxnFE3iirrrcI0AilFEvxHPIoo8:p6MiuVrrrcI0AilFEvxHP

Score

10^/10

orcus testbuild1 discovery persistence rat spyware stealer

Static task

static1

testbuild1 orcus

4 signatures

Behavioral task

behavioral1

Sample

c010f24789ecc04d92b1ba71d4633dc39f8eb4cc4a26e6f097b500f0414d4f59.exe

Resource

win7-20241010-en

orcus testbuild1 discovery persistence rat spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

c010f24789ecc04d92b1ba71d4633dc39f8eb4cc4a26e6f097b500f0414d4f59.exe

Resource

win10v2004-20241007-en

orcus testbuild1 discovery persistence rat spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

testbuild1

C2

127.0.0.1:1268

Mutex

979c2ee9d7ff48d0a2e4e2df3c2c864d

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Common Files\System\HD Audio\HDAudio.exe
reconnect_delay
10000
registry_keyname
HDAudioDriver
taskscheduler_taskname
HDAudioDriver
watchdog_path
AppData\HDAudioWatchdog.exe

Targets

- Target
  
  c010f24789ecc04d92b1ba71d4633dc39f8eb4cc4a26e6f097b500f0414d4f59
- Size
  
  924KB
- MD5
  
  995bb10dc32aab55bcf4a5da69556b92
- SHA1
  
  6fa508312c4304cd0fda75440244e7829ddb0f85
- SHA256
  
  c010f24789ecc04d92b1ba71d4633dc39f8eb4cc4a26e6f097b500f0414d4f59
- SHA512
  
  b71eeed4f4873cac3064751c7afaa78c3b99c9190dd7df38078ae0fb77d308386b1b82da44373cb0757cd87de4606abe883b4296e708e873e70a5288c47f52de
- SSDEEP
  
  24576:p3d4MROxnFE3iirrrcI0AilFEvxHPIoo8:p6MiuVrrrcI0AilFEvxHP
Score

10^/10

orcus testbuild1 discovery persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

testbuild1orcus

behavioral1

orcustestbuild1discoverypersistenceratspywarestealer

behavioral2

orcustestbuild1discoverypersistenceratspywarestealer

© 2018-2025

Terms | Privacy