orcus | bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031 | Triage

Sharing

General

Target

bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031
Size

3.0MB
Sample

241230-bhh3tssphl
MD5

5cc99251e0b8789e36ad013b38c75632
SHA1

7aae31f2e5cf63e7e3a0d926f0f3c186565ebdc6
SHA256

bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031
SHA512

4be001412f90ce660b6e673e3eaf301cffa53a81b4b548d1b322bec976fd2d3a43b101299824c25cba5cd4d761ee5cf8b8940c23433910be11671a27f524bee4
SSDEEP

49152:3gt1ZeM9/3EgHcyH4Z9fVTB4krLzS+HAypQxbOqUo9JnCmuxI3lGnlFreInnczWL:3gtGjzD5rfLgypSbKo9JCmn3E

Score

10^/10

orcus babylon discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Babylon

C2

vimeworldserverstat.serveminecraft.net:443

Mutex

a19e8216786644dc8db8ae5307f5d5be

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%appdata%\Microsoft Edge\UpdateService.exe
reconnect_delay
10000
registry_keyname
Microsoft Edge Update Service
taskscheduler_taskname
Microsoft Edge Update Service
watchdog_path
AppData\EdgeUpdate.exe

Targets

- Target
  
  bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031
- Size
  
  3.0MB
- MD5
  
  5cc99251e0b8789e36ad013b38c75632
- SHA1
  
  7aae31f2e5cf63e7e3a0d926f0f3c186565ebdc6
- SHA256
  
  bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031
- SHA512
  
  4be001412f90ce660b6e673e3eaf301cffa53a81b4b548d1b322bec976fd2d3a43b101299824c25cba5cd4d761ee5cf8b8940c23433910be11671a27f524bee4
- SSDEEP
  
  49152:3gt1ZeM9/3EgHcyH4Z9fVTB4krLzS+HAypQxbOqUo9JnCmuxI3lGnlFreInnczWL:3gtGjzD5rfLgypSbKo9JCmn3E
Score

10^/10

orcus babylon discovery persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusbabylondiscoverypersistenceratspywarestealer

behavioral2

orcusbabylondiscoverypersistenceratspywarestealer