orcus | 5607ca389a6be944820b7b4bd30406e3ed83a262da29ccfe15be9238a0c174ec | Triage

Submit
Reports

Overview

overview

Static

static

1

Extra_Moge.rar

windows10-2004-x64

Sharing

General

Target

Extra_Moge.rar
Size

2.6MB
Sample

241226-wm9rkatldx
MD5

a123deba315e0b3ad1e18b0990d448da
SHA1

ee7a5da1d184004850118d2bf843680d9e4cc187
SHA256

5607ca389a6be944820b7b4bd30406e3ed83a262da29ccfe15be9238a0c174ec
SHA512

6069f82471d0eefc72056344e1f36abfed65a13eebfc1f680ab6d268b91e01315c828ff616d8c97d47c32c4443b118719dc113cee0aaa8b0e848f107d3be63e3
SSDEEP

49152:sKUQ5CPOePuefaUu+JAcHgRpJBUmDIIYxQFN53KyEn/P0bVNure:sKUQ5CP1PdfWXFMiFLtMRe

Score

10^/10

orcus extra moge discovery rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Extra_Moge.rar

Resource

win10v2004-20241007-en

orcus extra moge discovery rat spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

Extra Moge

C2

31.44.184.52:15288

Mutex

sudo_7p2chwc9jshuy0noeroo9kyd53z5e34p

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\generatoruploadsto\wpbase.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Targets

- Target
  
  Extra_Moge.rar
- Size
  
  2.6MB
- MD5
  
  a123deba315e0b3ad1e18b0990d448da
- SHA1
  
  ee7a5da1d184004850118d2bf843680d9e4cc187
- SHA256
  
  5607ca389a6be944820b7b4bd30406e3ed83a262da29ccfe15be9238a0c174ec
- SHA512
  
  6069f82471d0eefc72056344e1f36abfed65a13eebfc1f680ab6d268b91e01315c828ff616d8c97d47c32c4443b118719dc113cee0aaa8b0e848f107d3be63e3
- SSDEEP
  
  49152:sKUQ5CPOePuefaUu+JAcHgRpJBUmDIIYxQFN53KyEn/P0bVNure:sKUQ5CP1PdfWXFMiFLtMRe
Score

10^/10

orcus extra moge discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusextra mogediscoveryratspywarestealer

© 2018-2025

Terms | Privacy