Overview

overview

10

Static

static

10

f38fc16a73...68.exe

windows7-x64

10

f38fc16a73...68.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f38fc16a733ab3d1946f4b3e73ad2ba96539c8168081aa00512b03dff85df768

  • Size

    981KB

  • Sample

    250127-bf6q4sspaw

  • MD5

    b02859003f6b038c81cbac25f1b47c4e

  • SHA1

    372b069847f547e80827ca54f739e1b521e64163

  • SHA256

    f38fc16a733ab3d1946f4b3e73ad2ba96539c8168081aa00512b03dff85df768

  • SHA512

    41123fb211f3936f07dbc3c5fe5cd86195b734f7e7ab35c61706a7d127057124b00f0dfa478a1e85158fdb007adb65993dd699ec87cc735d56f57b489ce5a300

  • SSDEEP

    24576:FGq4MROxnFi37ssrrcI0AilFEvxHProo0B:FuMiogsrrcI0AilFEvxHPO

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

192.168.56.1:6969

Mutex

cdcfb8e01bd24ecf81196eacf6c2613f

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    minecraft(aimbot)

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      f38fc16a733ab3d1946f4b3e73ad2ba96539c8168081aa00512b03dff85df768

    • Size

      981KB

    • MD5

      b02859003f6b038c81cbac25f1b47c4e

    • SHA1

      372b069847f547e80827ca54f739e1b521e64163

    • SHA256

      f38fc16a733ab3d1946f4b3e73ad2ba96539c8168081aa00512b03dff85df768

    • SHA512

      41123fb211f3936f07dbc3c5fe5cd86195b734f7e7ab35c61706a7d127057124b00f0dfa478a1e85158fdb007adb65993dd699ec87cc735d56f57b489ce5a300

    • SSDEEP

      24576:FGq4MROxnFi37ssrrcI0AilFEvxHProo0B:FuMiogsrrcI0AilFEvxHPO

    Score
    10/10
    orcusdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks