orcus | 226ec253ffea4cf694beead5ee591540a056fbf423bdf39f7f1ce7f17241aa79 | Triage

Submit
Reports

Overview

overview

Static

static

ExeraLoader.exe

windows10-2004-x64

Sharing

General

Target

ExeraLoader.exe
Size

3.0MB
Sample

250205-c1rclavmfy
MD5

967a76406b833408269300b470cba1d7
SHA1

1988b2f59f9dcc09035ba413d1a81f724ce6d727
SHA256

226ec253ffea4cf694beead5ee591540a056fbf423bdf39f7f1ce7f17241aa79
SHA512

1d36400a043c30f0f76e117287a2a05d0dedb322ab1a38db8e4990c155ccf14f60a54f81ae4860f6b4e35a411d9ea15388b3c2cfd3ef81bb5673d2c362200dd2
SSDEEP

49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qb:CsHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus exeradbd discovery rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

ExeraLoader.exe

Resource

win10v2004-20250129-en

orcus exeradbd discovery rat spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

ExeraDBD

C2

31.44.184.52:57581

Mutex

sudo_cphi4rohn8s06p230o7ave0vlq6yznce

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\linelinux\protectgeo.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Targets

- Target
  
  ExeraLoader.exe
- Size
  
  3.0MB
- MD5
  
  967a76406b833408269300b470cba1d7
- SHA1
  
  1988b2f59f9dcc09035ba413d1a81f724ce6d727
- SHA256
  
  226ec253ffea4cf694beead5ee591540a056fbf423bdf39f7f1ce7f17241aa79
- SHA512
  
  1d36400a043c30f0f76e117287a2a05d0dedb322ab1a38db8e4990c155ccf14f60a54f81ae4860f6b4e35a411d9ea15388b3c2cfd3ef81bb5673d2c362200dd2
- SSDEEP
  
  49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qb:CsHTPJg8z1mKnypSbRxo9JCm
Score

10^/10

orcus exeradbd discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusexeradbddiscoveryratspywarestealer

© 2018-2025

Terms | Privacy