General
-
Target
aba5075740d61e0655ae593bd41c12ed.bin
-
Size
4KB
-
Sample
230217-bxfk9acf7x
-
MD5
081617dcf0fbc8878a0e597939b8fc27
-
SHA1
2505f0bed248e108b715b763b3b21b0ceaaf6af8
-
SHA256
ec4d4e355c7385b42fb551ec97b30aace1b8e46ab647e1e5861b27b5032be642
-
SHA512
c29cfadc1dc011034a13d6f57984ed2b131455069a31e458d5187b65cb8aacaef49e66dc6886551225e18aeddc7322dd2fc969e1abc1ff260cad1832cbab0009
-
SSDEEP
96:+gKgksE76eWOr8SG0BxywzRSS7M0ZdVxE+cAsN2ApRmgptCNMPyUg50:+gfkvFWOrQ0BxyazQ0ZdTDA2yRmCCNpi
Static task
static1
Behavioral task
behavioral1
Sample
b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe
Resource
win7-20220812-en
Malware Config
Extracted
orcus
Sln
193.138.195.211:10134
eaf050d367294b239fe7db992d6ea4d7
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
svc host
-
watchdog_path
AppData\svchost.exe
Targets
-
-
Target
b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe
-
Size
12KB
-
MD5
aba5075740d61e0655ae593bd41c12ed
-
SHA1
e7b240e772dd8b1101612602cf1b36da5d64ba16
-
SHA256
b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7
-
SHA512
e2569bf4380e8d832c5b91de45ca228446ec600e37ae1ce27b5056fce309f639ac1a4df4a7e09018e694c90478e1c57652beef4c037f1d5d4e94ee6a68807553
-
SSDEEP
192:UmeH0viGnxDuZ04FBKlTav2r6zWKhVHL2mpH/2mfLA9zxIWNXzya:DeKhDuZ04rCav2rElhVHLRpH/RTAbdzr
Score10/10-
Orcus main payload
-
StormKitty payload
-
Orcurs Rat Executable
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-