orcus | 1b86c0a614e5dfc254302ed5667250ec7bbb3cb0dae40d9e86e40f322fefb03f | Triage

Submit
Reports

Overview

overview

Static

static

1b86c0a614...3f.exe

windows7-x64

1b86c0a614...3f.exe

windows10-2004-x64

Sharing

General

Target

1b86c0a614e5dfc254302ed5667250ec7bbb3cb0dae40d9e86e40f322fefb03f
Size

3.0MB
Sample

250209-bk36sa1rfm
MD5

02e326a7262b28611a9f19dc6397c8c1
SHA1

f246825eb6a94046fd55c3875d2f013d6500b020
SHA256

1b86c0a614e5dfc254302ed5667250ec7bbb3cb0dae40d9e86e40f322fefb03f
SHA512

7dbbc8f1f9b57d868aa7c73e0f2e9ddbfaa08a71a626246dae38fdc26f94b75eeae0ce19a17793bb492da872c179dc815c0ee8ef51d62e997f5d272e6658109a
SSDEEP

49152:o1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:oUHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus новый тег discovery rat spyware stealer

Static task

static1

новый тег orcus

4 signatures

Behavioral task

behavioral1

Sample

1b86c0a614e5dfc254302ed5667250ec7bbb3cb0dae40d9e86e40f322fefb03f.exe

Resource

win7-20241010-en

orcus новый тег discovery rat spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1b86c0a614e5dfc254302ed5667250ec7bbb3cb0dae40d9e86e40f322fefb03f.exe

Resource

win10v2004-20250207-en

orcus новый тег discovery rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

C2

31.44.184.52:62202

Mutex

sudo_6140u830l134x59enribfloaemhkbuvm

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\secureprocessgenerator\securecdn.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Targets

- Target
  
  1b86c0a614e5dfc254302ed5667250ec7bbb3cb0dae40d9e86e40f322fefb03f
- Size
  
  3.0MB
- MD5
  
  02e326a7262b28611a9f19dc6397c8c1
- SHA1
  
  f246825eb6a94046fd55c3875d2f013d6500b020
- SHA256
  
  1b86c0a614e5dfc254302ed5667250ec7bbb3cb0dae40d9e86e40f322fefb03f
- SHA512
  
  7dbbc8f1f9b57d868aa7c73e0f2e9ddbfaa08a71a626246dae38fdc26f94b75eeae0ce19a17793bb492da872c179dc815c0ee8ef51d62e997f5d272e6658109a
- SSDEEP
  
  49152:o1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:oUHTPJg8z1mKnypSbRxo9JCm
Score

10^/10

orcus новый тег discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Orcus main payload
- Orcurs Rat Executable
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

новый тегorcus

behavioral1

orcusновый тегdiscoveryratspywarestealer

behavioral2

orcusновый тегdiscoveryratspywarestealer

© 2018-2025

Terms | Privacy