General

  • Target

    2025-06-30_f838845d1132d55e0c19a51296e7db79_cobalt-strike_frostygoop_luca-stealer

  • Size

    3.4MB

  • Sample

    250630-tjfyzaz1hx

  • MD5

    f838845d1132d55e0c19a51296e7db79

  • SHA1

    fc66413a71dc1f8e4dfbe025d4d407c7312d94ad

  • SHA256

    2f0364f212551daf5be7eff4fd87236a2cfeaa5487f2cd402c7d5c33b9a2befc

  • SHA512

    41cff9fcfa860b21163df27d7c290dd06f27d09f48f17ef410ee1d23fece4ea8b3a273273bd5dbc31052d0b1fa0e570316c49e7318fb041507ccff33b1c97d0b

  • SSDEEP

    49152:ZseNGMHAbrb/TKvO90dL3BmAFd4A64nsfJUqlgTR55Infwz1:ZsDh6TP

Malware Config

Extracted

Family

orcus

Botnet

Test Infected - NoInstall

C2

45.91.92.112:8869

Mutex

480e7530af23454fb6a2256578aeeb77

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      2025-06-30_f838845d1132d55e0c19a51296e7db79_cobalt-strike_frostygoop_luca-stealer

    • Size

      3.4MB

    • MD5

      f838845d1132d55e0c19a51296e7db79

    • SHA1

      fc66413a71dc1f8e4dfbe025d4d407c7312d94ad

    • SHA256

      2f0364f212551daf5be7eff4fd87236a2cfeaa5487f2cd402c7d5c33b9a2befc

    • SHA512

      41cff9fcfa860b21163df27d7c290dd06f27d09f48f17ef410ee1d23fece4ea8b3a273273bd5dbc31052d0b1fa0e570316c49e7318fb041507ccff33b1c97d0b

    • SSDEEP

      49152:ZseNGMHAbrb/TKvO90dL3BmAFd4A64nsfJUqlgTR55Infwz1:ZsDh6TP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

MITRE ATT&CK Enterprise v16

Tasks