Overview

overview

10

Static

static

10

Kogtervan.exe

windows7_x64

10

Kogtervan.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Kogtervan.exe.vir

  • Size

    1.2MB

  • Sample

    220618-n71qdsbcb2

  • MD5

    1557a74487c9a87068200ed57aa4f41c

  • SHA1

    21c6fe977ffe351442dde5a67302d934448c2798

  • SHA256

    e672d73cf01f809e167c3b42609d6eb719ae187313f083e4e0ce522d6e6d8f3f

  • SHA512

    d1341180c9426a346bec55bd6ba606de52ffab8309868e28d276120817d20a587a74d58c442efa8cd125d2954b43ec4c0d5d1f88f9dd637d1c346853e75a3c44

Score
10/10
44caliberorcususerpersistenceratspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/921092565279850547/hht9p6Dov5UjlDv5Ho0zPIWCWLDfItsjCjCzkyreb1p0x6_xjYrced5Y9xHEMY-_qP8i

Extracted

Family

orcus

Botnet

User

C2

212.220.202.104:1604

Mutex

f3551b5b37bf41eb87431cb1dd626833

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\System\Update.exe

  • reconnect_delay

    500

  • registry_keyname

    Ocrus

  • taskscheduler_taskname

    Ocrus

  • watchdog_path

    AppData\system32

Targets

    • Target

      Kogtervan.exe.vir

    • Size

      1.2MB

    • MD5

      1557a74487c9a87068200ed57aa4f41c

    • SHA1

      21c6fe977ffe351442dde5a67302d934448c2798

    • SHA256

      e672d73cf01f809e167c3b42609d6eb719ae187313f083e4e0ce522d6e6d8f3f

    • SHA512

      d1341180c9426a346bec55bd6ba606de52ffab8309868e28d276120817d20a587a74d58c442efa8cd125d2954b43ec4c0d5d1f88f9dd637d1c346853e75a3c44

    Score
    10/10
    44caliberorcususerpersistenceratspywarestealer

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus Main Payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks