orcus | 2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a | Triage

Submit
Reports

Overview

overview

Static

static

a65588611b...18.exe

windows7-x64

a65588611b...18.exe

windows10-2004-x64

Sharing

General

Target

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118
Size

1.3MB
Sample

240613-s73bfaygqq
MD5

a65588611bea2e11e8b7a783586d45ed
SHA1

70df9e0bb904ec5cacd4ccc54950d3029ab322c9
SHA256

2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a
SHA512

123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8
SSDEEP

24576:jyI4MROxnFt3v9MQvrZlI0AilFEvxHidsRN+Sr5P8WmA2TzKsv+6k2C:jyrMijm0rZlI0AilFEvxHi2Fr5WycC

Score

10^/10

orcus hi persistence rat spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

Resource

win7-20240611-en

orcus hi persistence rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

Resource

win10v2004-20240611-en

orcus hi persistence rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

orcus

Botnet

hi

C2

owo-whats-this.duckdns.org:6969

Mutex

589c23b486c142cc84a5650aff03530f

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\owo\OwO.exe
reconnect_delay
10000
registry_keyname
WWWWWWWWWWW
taskscheduler_taskname
WWWWWW
watchdog_path
Temp\hostwd.exe

Targets

- Target
  
  a65588611bea2e11e8b7a783586d45ed_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  a65588611bea2e11e8b7a783586d45ed
- SHA1
  
  70df9e0bb904ec5cacd4ccc54950d3029ab322c9
- SHA256
  
  2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a
- SHA512
  
  123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8
- SSDEEP
  
  24576:jyI4MROxnFt3v9MQvrZlI0AilFEvxHidsRN+Sr5P8WmA2TzKsv+6k2C:jyrMijm0rZlI0AilFEvxHi2Fr5WycC
Score

10^/10

orcus hi persistence rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus main payload
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

orcushipersistenceratspywarestealer

behavioral2

orcushipersistenceratspywarestealer

© 2018-2024

Terms | Privacy