General
-
Target
c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797
-
Size
2.8MB
-
Sample
220520-3wc8aahfb6
-
MD5
f7a46b53afa7814e739d59fcdbd527fc
-
SHA1
b1d3158156a63d3981c3d49c33bb94ef899611d6
-
SHA256
c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797
-
SHA512
0bb5d13d55fd27f1feb8c055118ba43fa0a611a2512abafbaceba0d2d3c0e5e9a45520d2f8093070589df422721f568fcc6b59fc2c994288ab5d2ec898b6b5da
Static task
static1
Behavioral task
behavioral1
Sample
c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797.exe
Resource
win7-20220414-en
Malware Config
Extracted
orcus
18.221.17.220:1604
1141a9276f324b1f8a2d4f8f2fec0ac5
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%temp%\drivers\ac2ftsdgj8m5ms5.exe
-
reconnect_delay
10000
-
registry_keyname
steam
-
taskscheduler_taskname
steam
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797
-
Size
2.8MB
-
MD5
f7a46b53afa7814e739d59fcdbd527fc
-
SHA1
b1d3158156a63d3981c3d49c33bb94ef899611d6
-
SHA256
c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797
-
SHA512
0bb5d13d55fd27f1feb8c055118ba43fa0a611a2512abafbaceba0d2d3c0e5e9a45520d2f8093070589df422721f568fcc6b59fc2c994288ab5d2ec898b6b5da
-
Orcus Main Payload
-
Orcurs Rat Executable
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-