orcus | 1a3ed0c77c2f2f3b1094eb76cd25fcd39aa0b8790ab099570ec7acb9b5ae1a22 | Triage

Submit
Reports

Overview

overview

Static

static

1

64657c8e28...1.webp

windows10-2004-x64

Sharing

General

Target

64657c8e2891fee00ec8d8763b2ad4b1.webp
Size

1KB
Sample

250102-csjb1sxrgz
MD5

4cbe96bdb920f426f2adc24b954ff59a
SHA1

d0d196ea0a62464cf443e21983500b93aa8751de
SHA256

1a3ed0c77c2f2f3b1094eb76cd25fcd39aa0b8790ab099570ec7acb9b5ae1a22
SHA512

f1b7c73b4946cdda5318a2489dced7cd6f6a3598e1d93632349d56e516e9f4c35d57560aa6972f823f41720d02252f85ae702decbd3192e833ac5c27eb59acad

Score

10^/10

orcus discovery execution phishing rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

64657c8e2891fee00ec8d8763b2ad4b1.webp

Resource

win10v2004-20241007-en

orcus discovery execution phishing rat spyware stealer

windows10-2004-x64

36 signatures

900 seconds

Malware Config

Targets

- Target
  
  64657c8e2891fee00ec8d8763b2ad4b1.webp
- Size
  
  1KB
- MD5
  
  4cbe96bdb920f426f2adc24b954ff59a
- SHA1
  
  d0d196ea0a62464cf443e21983500b93aa8751de
- SHA256
  
  1a3ed0c77c2f2f3b1094eb76cd25fcd39aa0b8790ab099570ec7acb9b5ae1a22
- SHA512
  
  f1b7c73b4946cdda5318a2489dced7cd6f6a3598e1d93632349d56e516e9f4c35d57560aa6972f823f41720d02252f85ae702decbd3192e833ac5c27eb59acad
Score

10^/10

orcus discovery execution phishing rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcurs Rat Executable
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoveryexecutionphishingratspywarestealer

© 2018-2025

Terms | Privacy