orcus | dc34a84ca9c36fbc3d047f9d3c2ca8cd4f9060fbef49f0b4f13cec77944cf449 | Triage

Submit
Reports

Overview

overview

Static

static

dc34a84ca9...49.exe

windows7-x64

dc34a84ca9...49.exe

windows10-2004-x64

Sharing

General

Target

dc34a84ca9c36fbc3d047f9d3c2ca8cd4f9060fbef49f0b4f13cec77944cf449
Size

920KB
Sample

250203-blf3msvkfv
MD5

09f07afdf05a07d4fc75bba271c1d55f
SHA1

ce46cf71cacb51b41ae548e9a6c272fc88c0b048
SHA256

dc34a84ca9c36fbc3d047f9d3c2ca8cd4f9060fbef49f0b4f13cec77944cf449
SHA512

7d7107eb34f1bd8ea3e0afa54bc1588a245211146748e29709dd15f9c83fbddbe1a013828d315bccf7bcb1a6460ef6eeba292bad8da65138314f1213a2cf1ad9
SSDEEP

24576:9wV4MROxnFZ3+kTZKrZlI0AilFEvxHiei4:9wCMi7wrZlI0AilFEvxHie

Score

10^/10

orcus discovery persistence rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

dc34a84ca9c36fbc3d047f9d3c2ca8cd4f9060fbef49f0b4f13cec77944cf449.exe

Resource

win7-20241010-en

orcus discovery persistence rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

dc34a84ca9c36fbc3d047f9d3c2ca8cd4f9060fbef49f0b4f13cec77944cf449.exe

Resource

win10v2004-20241007-en

orcus discovery persistence rat spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

147.185.221.24:35724

Mutex

2343b4b69eb4448f8b90fbdd06301150

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchosts
watchdog_path
AppData\svchost.exe

Targets

- Target
  
  dc34a84ca9c36fbc3d047f9d3c2ca8cd4f9060fbef49f0b4f13cec77944cf449
- Size
  
  920KB
- MD5
  
  09f07afdf05a07d4fc75bba271c1d55f
- SHA1
  
  ce46cf71cacb51b41ae548e9a6c272fc88c0b048
- SHA256
  
  dc34a84ca9c36fbc3d047f9d3c2ca8cd4f9060fbef49f0b4f13cec77944cf449
- SHA512
  
  7d7107eb34f1bd8ea3e0afa54bc1588a245211146748e29709dd15f9c83fbddbe1a013828d315bccf7bcb1a6460ef6eeba292bad8da65138314f1213a2cf1ad9
- SSDEEP
  
  24576:9wV4MROxnFZ3+kTZKrZlI0AilFEvxHiei4:9wCMi7wrZlI0AilFEvxHie
Score

10^/10

orcus discovery persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoverypersistenceratspywarestealer

behavioral2

orcusdiscoverypersistenceratspywarestealer

© 2018-2025

Terms | Privacy