Overview

overview

10

Static

static

c4d9d25ded...97.exe

windows7_x64

10

c4d9d25ded...97.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797

  • Size

    2.8MB

  • Sample

    220520-3wc8aahfb6

  • MD5

    f7a46b53afa7814e739d59fcdbd527fc

  • SHA1

    b1d3158156a63d3981c3d49c33bb94ef899611d6

  • SHA256

    c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797

  • SHA512

    0bb5d13d55fd27f1feb8c055118ba43fa0a611a2512abafbaceba0d2d3c0e5e9a45520d2f8093070589df422721f568fcc6b59fc2c994288ab5d2ec898b6b5da

Score
10/10
orcusratspywarestealer

Malware Config

Extracted

Family

orcus

C2

18.221.17.220:1604

Mutex

1141a9276f324b1f8a2d4f8f2fec0ac5

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %temp%\drivers\ac2ftsdgj8m5ms5.exe

  • reconnect_delay

    10000

  • registry_keyname

    steam

  • taskscheduler_taskname

    steam

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797

    • Size

      2.8MB

    • MD5

      f7a46b53afa7814e739d59fcdbd527fc

    • SHA1

      b1d3158156a63d3981c3d49c33bb94ef899611d6

    • SHA256

      c4d9d25dedcb02acf6eae98dec3fae4e53585ef8486d755f2b77740dd7ba7797

    • SHA512

      0bb5d13d55fd27f1feb8c055118ba43fa0a611a2512abafbaceba0d2d3c0e5e9a45520d2f8093070589df422721f568fcc6b59fc2c994288ab5d2ec898b6b5da

    Score
    10/10
    orcusratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus Main Payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks