44caliber | e672d73cf01f809e167c3b42609d6eb719ae187313f083e4e0ce522d6e6d8f3f | Triage

Submit
Reports

Overview

overview

Static

static

Kogtervan.exe

windows7_x64

Kogtervan.exe

windows10-2004_x64

Sharing

General

Target

Kogtervan.exe.vir
Size

1.2MB
Sample

220618-n9cfksbcb7
MD5

1557a74487c9a87068200ed57aa4f41c
SHA1

21c6fe977ffe351442dde5a67302d934448c2798
SHA256

e672d73cf01f809e167c3b42609d6eb719ae187313f083e4e0ce522d6e6d8f3f
SHA512

d1341180c9426a346bec55bd6ba606de52ffab8309868e28d276120817d20a587a74d58c442efa8cd125d2954b43ec4c0d5d1f88f9dd637d1c346853e75a3c44

Score

10^/10

44caliber orcus user persistence rat spyware stealer

Static task

static1

orcus 44caliber

Behavioral task

behavioral1

Sample

Kogtervan.exe

Resource

win7-20220414-en

44caliber orcus user persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Kogtervan.exe

Resource

win10v2004-20220414-en

44caliber orcus user persistence rat spyware stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/921092565279850547/hht9p6Dov5UjlDv5Ho0zPIWCWLDfItsjCjCzkyreb1p0x6_xjYrced5Y9xHEMY-_qP8i

Extracted

Family

orcus

Botnet

User

C2

212.220.202.104:1604

Mutex

f3551b5b37bf41eb87431cb1dd626833

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\System\Update.exe
reconnect_delay
500
registry_keyname
Ocrus
taskscheduler_taskname
Ocrus
watchdog_path
AppData\system32

Targets

- Target
  
  Kogtervan.exe.vir
- Size
  
  1.2MB
- MD5
  
  1557a74487c9a87068200ed57aa4f41c
- SHA1
  
  21c6fe977ffe351442dde5a67302d934448c2798
- SHA256
  
  e672d73cf01f809e167c3b42609d6eb719ae187313f083e4e0ce522d6e6d8f3f
- SHA512
  
  d1341180c9426a346bec55bd6ba606de52ffab8309868e28d276120817d20a587a74d58c442efa8cd125d2954b43ec4c0d5d1f88f9dd637d1c346853e75a3c44
Score

10^/10

44caliber orcus user persistence rat spyware stealer
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus Main Payload
- Orcurs Rat Executable
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

44caliberorcususerpersistenceratspywarestealer

behavioral2

44caliberorcususerpersistenceratspywarestealer

© 2018-2024

Terms | Privacy