General
-
Target
0aee6eccb540b68a3811f5909b934849e873fef1809392147905986e6111892c
-
Size
1.1MB
-
Sample
220521-mph7ysfccr
-
MD5
a0cbd9c2da1bea56af84c24013fe5470
-
SHA1
955092538e670b71cc05c3c2ba1225e2645a623b
-
SHA256
0aee6eccb540b68a3811f5909b934849e873fef1809392147905986e6111892c
-
SHA512
e12fdeb8bc4f7e3a5674e118073982098d5c6d8987ebd632266c6fb0b6e6f4806fc2bd93997bdc4c65dc4775f20cdd97b5bf615389ba6adb6fe4407d41526b3e
Malware Config
Extracted
orcus
serverguedin.ddns.net:10134
bbab6692eea34e39a485be6a03573102
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
C:\Windows\System32\schost.exe
-
reconnect_delay
10000
-
registry_keyname
schost
-
taskscheduler_taskname
schost
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
0aee6eccb540b68a3811f5909b934849e873fef1809392147905986e6111892c
-
Size
1.1MB
-
MD5
a0cbd9c2da1bea56af84c24013fe5470
-
SHA1
955092538e670b71cc05c3c2ba1225e2645a623b
-
SHA256
0aee6eccb540b68a3811f5909b934849e873fef1809392147905986e6111892c
-
SHA512
e12fdeb8bc4f7e3a5674e118073982098d5c6d8987ebd632266c6fb0b6e6f4806fc2bd93997bdc4c65dc4775f20cdd97b5bf615389ba6adb6fe4407d41526b3e
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus Main Payload
-
Orcurs Rat Executable
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops file in System32 directory
-