Overview

overview

10

Static

static

e65f0af765...b1.exe

windows7_x64

10

e65f0af765...b1.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

  • Size

    3.9MB

  • Sample

    220524-szkresbgcl

  • MD5

    7185dd04ba69eac4b0c2b269843cfae3

  • SHA1

    47427c2fb4e1a097304f801a9dc6815b84fa1519

  • SHA256

    e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

  • SHA512

    150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

Score
10/10
orcusbootkitevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

orcus

C2

dontreachme.ddns.net:3600

dontreachme2.ddns.net:3600
Mutex

637bdf863f424e26ae6741c39d47588d

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %appdata%\Windows Updater\Dupper.exe

  • reconnect_delay

    10000

  • registry_keyname

    WindowsUpdater

  • taskscheduler_taskname

    WindowUpdater

  • watchdog_path

    Temp\Updater.exe

Targets

    • Target

      e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

    • Size

      3.9MB

    • MD5

      7185dd04ba69eac4b0c2b269843cfae3

    • SHA1

      47427c2fb4e1a097304f801a9dc6815b84fa1519

    • SHA256

      e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1

    • SHA512

      150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5

    Score
    10/10
    orcusbootkitevasionpersistenceratspywarestealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus Main Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Orcurs Rat Executable

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks