orcus | HEUR-Trojan-Spy[.]MSIL[.]Generic-9162035bdf58571f4addb781f7501a55337a2437c0022e0cb5cf9f0162bcf8f2[.]exe | Triage

Sharing

General

Target

HEUR-Trojan-Spy.MSIL.Generic-9162035bdf58571f4addb781f7501a55337a2437c0022e0cb5cf9f0162bcf8f2.exe
Size

908KB
MD5

f1e4a04ced6ac22acfbe73b93cfa55a0
SHA1

ef35307d8850052c45827d4873abd98d79906deb
SHA256

9162035bdf58571f4addb781f7501a55337a2437c0022e0cb5cf9f0162bcf8f2
SHA512

062a3de317f9515da294e54b82d0b039959784e12cbdb20553e62ab455c63821105342f3455dc7df42dbabae8c5a9a6b2e426784b6f67af07be3822bcb222063
SSDEEP

24576:Wqd4MROxnFj30xXFHXRrZlI0AilFEvxHiln:WqqMi1sRhrZlI0AilFEvxHi

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

78.198.121.158:5555

Mutex

e37b97020fdb47e0a5bc491e6c25e4bc

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\proxy\svchost.exe
reconnect_delay
10000
registry_keyname
windows proxy
taskscheduler_taskname
Orcus
watchdog_path
Temp\svchost32.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Files

HEUR-Trojan-Spy.MSIL.Generic-9162035bdf58571f4addb781f7501a55337a2437c0022e0cb5cf9f0162bcf8f2.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 903KB - Virtual size: 902KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ