General
-
Target
ad61bfdfbc75de73002494c4136d8218.exe
-
Size
10KB
-
Sample
221201-q6f1psdh24
-
MD5
ad61bfdfbc75de73002494c4136d8218
-
SHA1
47b210f2899f2cdc9a216224904788970d77ed7e
-
SHA256
7ef3c97229c67cec6c277b67d614b785bbf89248a8964c13ce491af35c935a94
-
SHA512
11b6b2a2bb3e6ebfe4f3855d66a3a7d226311e6829999533871bbdab7fc676006973201e12e1a7c89772c6851aee21e648b51a2dea16c5e15c05470d47c243b9
-
SSDEEP
192:84ySY/ncMNb1S+dZh8vkYcV6qU2FJFEUb:84ySincMNjDh6kYcV6qUiJFZb
Static task
static1
Behavioral task
behavioral1
Sample
ad61bfdfbc75de73002494c4136d8218.exe
Resource
win7-20221111-en
Malware Config
Extracted
orcus
147.185.221.212:34218
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\Microsoft\Edge\Application\107.0.1418.56\cookies.exe
-
reconnect_delay
10000
-
registry_keyname
Minecraft
-
taskscheduler_taskname
Minecraft
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
ad61bfdfbc75de73002494c4136d8218.exe
-
Size
10KB
-
MD5
ad61bfdfbc75de73002494c4136d8218
-
SHA1
47b210f2899f2cdc9a216224904788970d77ed7e
-
SHA256
7ef3c97229c67cec6c277b67d614b785bbf89248a8964c13ce491af35c935a94
-
SHA512
11b6b2a2bb3e6ebfe4f3855d66a3a7d226311e6829999533871bbdab7fc676006973201e12e1a7c89772c6851aee21e648b51a2dea16c5e15c05470d47c243b9
-
SSDEEP
192:84ySY/ncMNb1S+dZh8vkYcV6qU2FJFEUb:84ySincMNjDh6kYcV6qUiJFZb
-
Orcus main payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Orcurs Rat Executable
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-