orcus | 9b52478f24a02f622d71fc14c484e03dd240f0ac0b9166e0b58defa0edfc0404 | Triage

Submit
Reports

Overview

overview

Static

static

3

OrcusRAT.exe

windows7-x64

OrcusRAT.exe

windows10-2004-x64

Resubmissions

10-02-2025 03:23

250210-dxrdvszrgv 10

10-02-2025 03:16

250210-dspdpszqhw 10

Sharing

General

Target

OrcusRAT.exe
Size

16.3MB
Sample

250210-dxrdvszrgv
MD5

bec4a5b0b6db81ce39d6f2e3721911e3
SHA1

4d5cff870c8012f0978ecb6d4a579dc84a4f2ad3
SHA256

9b52478f24a02f622d71fc14c484e03dd240f0ac0b9166e0b58defa0edfc0404
SHA512

8990173964cd8ff719ac3f524e0ba6c5a99c815ecf6549cf67b126e7d581b8a2a8bc1432fc7d844f5e4b590b3554ee320370968be3fc5b7c623d3e8b29d8b1c6
SSDEEP

196608:CI6JYPVMxrZbapOU4SxTtn52dQ2CIierfBrec1CoHktdsXNPIawd4D3jtg4neJx0:C9JYaxrckZxQ2I431HHiWE63ju4en

Score

10^/10

orcus xworm discovery execution persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

OrcusRAT.exe

Resource

win7-20240903-en

orcus xworm discovery execution persistence rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

OrcusRAT.exe

Resource

win10v2004-20250207-en

orcus xworm discovery execution persistence rat spyware stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:32934

skidderhay-32934.portmap.host:32934

Mutex

lbyKzAzevfD9uOTG

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  OrcusRAT.exe
- Size
  
  16.3MB
- MD5
  
  bec4a5b0b6db81ce39d6f2e3721911e3
- SHA1
  
  4d5cff870c8012f0978ecb6d4a579dc84a4f2ad3
- SHA256
  
  9b52478f24a02f622d71fc14c484e03dd240f0ac0b9166e0b58defa0edfc0404
- SHA512
  
  8990173964cd8ff719ac3f524e0ba6c5a99c815ecf6549cf67b126e7d581b8a2a8bc1432fc7d844f5e4b590b3554ee320370968be3fc5b7c623d3e8b29d8b1c6
- SSDEEP
  
  196608:CI6JYPVMxrZbapOU4SxTtn52dQ2CIierfBrec1CoHktdsXNPIawd4D3jtg4neJx0:C9JYaxrckZxQ2I431HHiWE63ju4en
Score

10^/10

orcus xworm discovery execution persistence rat spyware stealer trojan
- Detect Xworm Payload
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Orcurs Rat Executable
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusxwormdiscoveryexecutionpersistenceratspywarestealertrojan

behavioral2

orcusxwormdiscoveryexecutionpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy