General

  • Target

    Valorant Script.bat.exe

  • Size

    1.4MB

  • Sample

    210526-v1egykknse

  • MD5

    637b3b849ab42985bd2bc59982202df9

  • SHA1

    359dab386ed04c7e9bf1dac6af68ff4b70ee6d71

  • SHA256

    994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c

  • SHA512

    db676cc9cc802d57093b6a71a4cba36e84b93e3ca57c421dc3998c219d711cbdadb3537db2d60b94ad14da5cce1c484a59d8d98ddff112715840d218f1d55488

Malware Config

Extracted

Family

orcus

Botnet

lol

C2

isnadsknsbs-38398.portmap.host:12201

Mutex

e1b8920439fc43a68e4d8395e70dc516

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      Valorant Script.bat.exe

    • Size

      1.4MB

    • MD5

      637b3b849ab42985bd2bc59982202df9

    • SHA1

      359dab386ed04c7e9bf1dac6af68ff4b70ee6d71

    • SHA256

      994d07673de5e6dde1e1292d3502ce4f122c18e112a196278ee5f269b517399c

    • SHA512

      db676cc9cc802d57093b6a71a4cba36e84b93e3ca57c421dc3998c219d711cbdadb3537db2d60b94ad14da5cce1c484a59d8d98ddff112715840d218f1d55488

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus Main Payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks