orcus | Tool[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Tool.exe
Size

981KB
MD5

3aaf2b9e1652752ab2abb39639197684
SHA1

1093c554a9a6836268e261b176f7044f30003f1d
SHA256

792b7667e65e06c5f66ad7c29d7af541bcc355c1a8b24e5694c51fd79f22680c
SHA512

65f170431862fdd3cc5d963828cc2ea9a468b76ca74c9d8ac36ddec60fbe05086433b16193438193b6b08965c3a90becd9a1ff418e4f71966abd44fef8ae79ec
SSDEEP

24576:OwV4MROxnFD3cEsYxrZlI0AilFEvxHiD5:OwCMiJ5rZlI0AilFEvxHi

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

193.111.248.239:10134

Mutex

3e18f325d23140aba3c5647d77fe4217

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
C:\Windows\Discord.exe
reconnect_delay
10000
registry_keyname
Discord
taskscheduler_taskname
Orcus
watchdog_path
AppData\Discord Fix.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Files

Tool.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 912KB - Virtual size: 911KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ