General
-
Target
ac8be183acf3079cd5475f8c170a98ae.exe
-
Size
2.9MB
-
Sample
220408-ktwbzabaf2
-
MD5
ac8be183acf3079cd5475f8c170a98ae
-
SHA1
4eab4aba5e2888496a267f2e755c5fbd29a5c25d
-
SHA256
c7ad74775251731d6ffc24878658341b5a3b3398a5480ab113f80af42eda32c3
-
SHA512
d3c80ff0ee04ecf898a0951433bf4e1dba25a214f4b1d902bc8e0a79a1b08bacc6813cd30c40a7a3f6cd10312b49850475f61f2f33886ad2797f25c37cfa54f3
Malware Config
Extracted
orcus
old
tools.3utilities.com:17650
3e72d23ec7f64b6aab470ad129f9a745
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\vcredist\vcredistapp.exe
-
reconnect_delay
10000
-
registry_keyname
vcredistappreg
-
taskscheduler_taskname
vcredistappsch
-
watchdog_path
Temp\vcredistapp.exe
Extracted
44caliber
https://discord.com/api/webhooks/959366883545579581/Z1Be8qUrtXUbCZydkDEnV1VMcMYEDqpAE1fFmNhN26L5vd4nrcJOGi-iQnD-msZc-BJX
Targets
-
-
Target
ac8be183acf3079cd5475f8c170a98ae.exe
-
Size
2.9MB
-
MD5
ac8be183acf3079cd5475f8c170a98ae
-
SHA1
4eab4aba5e2888496a267f2e755c5fbd29a5c25d
-
SHA256
c7ad74775251731d6ffc24878658341b5a3b3398a5480ab113f80af42eda32c3
-
SHA512
d3c80ff0ee04ecf898a0951433bf4e1dba25a214f4b1d902bc8e0a79a1b08bacc6813cd30c40a7a3f6cd10312b49850475f61f2f33886ad2797f25c37cfa54f3
Score10/10-
44Caliber
An open source infostealer written in C#.
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-