General

  • Target

    658CB5F3BD26B13BB619C625501D7283.exe

  • Size

    907KB

  • Sample

    210521-dtzh4fq5ds

  • MD5

    658cb5f3bd26b13bb619c625501d7283

  • SHA1

    55ed61f7bd39147201a022ec3f83edfc8c58e002

  • SHA256

    88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

  • SHA512

    d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Malware Config

Extracted

Family

orcus

Botnet

People

C2

4.tcp.ngrok.io:16788

Mutex

55c8e5e3f5fe4794a3ef3a55735c66ad

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %appdata%\MultiRunner\MultiRunner.exe

  • reconnect_delay

    10000

  • registry_keyname

    MutliRunner

  • taskscheduler_taskname

    MultiRunner

  • watchdog_path

    AppData\MultiHelper.exe

Targets

    • Target

      658CB5F3BD26B13BB619C625501D7283.exe

    • Size

      907KB

    • MD5

      658cb5f3bd26b13bb619c625501d7283

    • SHA1

      55ed61f7bd39147201a022ec3f83edfc8c58e002

    • SHA256

      88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

    • SHA512

      d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus Main Payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks