Overview

overview

10

Static

static

10

csrss.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    csrss.exe

  • Size

    915KB

  • Sample

    230101-shcz9afb8x

  • MD5

    9edc8a7beb5cd20a12f306308d9bcc77

  • SHA1

    66904d048fa464f0ba3443a582f0a909c3cff140

  • SHA256

    3cb4efecf87208f429ab7186fb10d10998f3534cfec8e277019b6fff53caa7ef

  • SHA512

    55087802c715a3320b99608aa67cb79fe6c5ec3ff3a6f7e21261020575bc98d2b555da9908fd282d77bbf8df635fa1ce7133600e2cc86a5bc855f137679e3675

  • SSDEEP

    24576:vUU4MROxnFD3KrXYf1rrcI0AilFEvxHPVooH:viMiJHrrcI0AilFEvxHP

Score
10/10
orcusccratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

CC

C2

127.0.0.1:10134

Mutex

8e9cad03731d44e4aea90236e8356123

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    csrss

  • watchdog_path

    Temp\csrss.exe

Targets

    • Target

      csrss.exe

    • Size

      915KB

    • MD5

      9edc8a7beb5cd20a12f306308d9bcc77

    • SHA1

      66904d048fa464f0ba3443a582f0a909c3cff140

    • SHA256

      3cb4efecf87208f429ab7186fb10d10998f3534cfec8e277019b6fff53caa7ef

    • SHA512

      55087802c715a3320b99608aa67cb79fe6c5ec3ff3a6f7e21261020575bc98d2b555da9908fd282d77bbf8df635fa1ce7133600e2cc86a5bc855f137679e3675

    • SSDEEP

      24576:vUU4MROxnFD3KrXYf1rrcI0AilFEvxHPVooH:viMiJHrrcI0AilFEvxHP

    Score
    10/10
    orcusccratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks