orcus | 87f7c9621a398d1463e9b6e095704ce6a1d63f55ba8a6c88fdbef6dca7e7232c | Triage

Submit
Reports

Overview

overview

Static

static

87f7c9621a...2c.exe

windows7-x64

87f7c9621a...2c.exe

windows10-2004-x64

Sharing

General

Target

87f7c9621a398d1463e9b6e095704ce6a1d63f55ba8a6c88fdbef6dca7e7232c
Size

912KB
Sample

240609-bm3m2aca58
MD5

40d323b48e02a159e2902bba5d60d585
SHA1

a7e40602a8172e1f5f501e5400346724a7eb8ca1
SHA256

87f7c9621a398d1463e9b6e095704ce6a1d63f55ba8a6c88fdbef6dca7e7232c
SHA512

162b6fab5a760a94cead19f1d4b982a187ba08621ba495685a62e858714f1012ab25428e14eba72d82dcfa445a9805c42c52b1352e9ff44bba8579c07e103287
SSDEEP

24576:Dam4MROxnFrFPurerrcI0AilFEvxHPmUFoop:DOMiMerrcI0AilFEvxHPmU

Score

10^/10

orcus rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

87f7c9621a398d1463e9b6e095704ce6a1d63f55ba8a6c88fdbef6dca7e7232c.exe

Resource

win7-20240221-en

orcus rat spyware stealer

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

87f7c9621a398d1463e9b6e095704ce6a1d63f55ba8a6c88fdbef6dca7e7232c.exe

Resource

win10v2004-20240426-en

orcus rat spyware stealer

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

orcus

C2

192.168.1.56:10134

Mutex

e9854b98f65745a89d715a85a4ff1de8

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  87f7c9621a398d1463e9b6e095704ce6a1d63f55ba8a6c88fdbef6dca7e7232c
- Size
  
  912KB
- MD5
  
  40d323b48e02a159e2902bba5d60d585
- SHA1
  
  a7e40602a8172e1f5f501e5400346724a7eb8ca1
- SHA256
  
  87f7c9621a398d1463e9b6e095704ce6a1d63f55ba8a6c88fdbef6dca7e7232c
- SHA512
  
  162b6fab5a760a94cead19f1d4b982a187ba08621ba495685a62e858714f1012ab25428e14eba72d82dcfa445a9805c42c52b1352e9ff44bba8579c07e103287
- SSDEEP
  
  24576:Dam4MROxnFrFPurerrcI0AilFEvxHPmUFoop:DOMiMerrcI0AilFEvxHPmU
Score

10^/10

orcus rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

orcusratspywarestealer

behavioral2

orcusratspywarestealer

© 2018-2024

Terms | Privacy