orcus | 2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183 | Triage

Submit
Reports

Overview

overview

Static

static

2ddbc053ba...83.exe

windows7-x64

2ddbc053ba...83.exe

windows10-2004-x64

Sharing

General

Target

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183
Size

919KB
Sample

250103-be5seswlhr
MD5

fa6c9a01e8fd6075e4143fe869f26633
SHA1

b3b7bfb052306ef1f33d327d90c0ba630b6c57ee
SHA256

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183
SHA512

25ec4a100ec760b2a671900ff92438c716fe107be0002ed1b43d7e5ca9baa8796002ccb22ec8db05098af3f68f1c499c56b85dc0536094efb8f313ec1c7bbe0a
SSDEEP

12288:GRzyAHWSkJ6ZBy37dG1lFlWcYT70pxnnaaoawhmD9kgWr8rZNrI0AilFEvxHvBMw:xk84MROxnF31vrZlI0AilFEvxHic+C

Score

10^/10

orcus persistence rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Resource

win7-20240903-en

orcus persistence rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Resource

win10v2004-20241007-en

orcus persistence rat spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

Ezzka1337123123-52059.portmap.host:52059

Mutex

ca01f7484a6e4c3dbdd4b2c03f15df00

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
WindowsDefender
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183
- Size
  
  919KB
- MD5
  
  fa6c9a01e8fd6075e4143fe869f26633
- SHA1
  
  b3b7bfb052306ef1f33d327d90c0ba630b6c57ee
- SHA256
  
  2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183
- SHA512
  
  25ec4a100ec760b2a671900ff92438c716fe107be0002ed1b43d7e5ca9baa8796002ccb22ec8db05098af3f68f1c499c56b85dc0536094efb8f313ec1c7bbe0a
- SSDEEP
  
  12288:GRzyAHWSkJ6ZBy37dG1lFlWcYT70pxnnaaoawhmD9kgWr8rZNrI0AilFEvxHvBMw:xk84MROxnF31vrZlI0AilFEvxHic+C
Score

10^/10

orcus persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcuspersistenceratspywarestealer

behavioral2

orcuspersistenceratspywarestealer

© 2018-2025

Terms | Privacy