Overview

overview

10

Static

static

10

3E40414D3D...8B.exe

windows7_x64

10

3E40414D3D...8B.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3E40414D3D75B88373027C33BBE22E90A6EF7FDF7C98B.exe

  • Size

    2.0MB

  • Sample

    210627-txnqrvge6e

  • MD5

    1827c3deb2f17ab048cbfd62e3bbd861

  • SHA1

    89f978070089ef8b477dfa653724150f2e7f7417

  • SHA256

    3e40414d3d75b88373027c33bbe22e90a6ef7fdf7c98b8b6e8a8e51b4b781a56

  • SHA512

    fef79fff23736f404b8a38895f1f729deae7341b9e8ad7266f5ed761250ab3afa1f8e8485086417367cb6a81179a2e80cca7e279f3082722f7f96b00ef0f0e2a

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

3.143.239.116:10134

Mutex

e39a4bc6c5f84fd588c4a3159c804f42

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Chrome

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    Temp\OrcusWatchdog.exe

Targets

    • Target

      3E40414D3D75B88373027C33BBE22E90A6EF7FDF7C98B.exe

    • Size

      2.0MB

    • MD5

      1827c3deb2f17ab048cbfd62e3bbd861

    • SHA1

      89f978070089ef8b477dfa653724150f2e7f7417

    • SHA256

      3e40414d3d75b88373027c33bbe22e90a6ef7fdf7c98b8b6e8a8e51b4b781a56

    • SHA512

      fef79fff23736f404b8a38895f1f729deae7341b9e8ad7266f5ed761250ab3afa1f8e8485086417367cb6a81179a2e80cca7e279f3082722f7f96b00ef0f0e2a

    Score
    10/10
    orcuspersistenceratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus Main Payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks