Overview

overview

10

Static

static

1

b43afa831f...a7.exe

windows7-x64

10

b43afa831f...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aba5075740d61e0655ae593bd41c12ed.bin

  • Size

    4KB

  • Sample

    230217-bxfk9acf7x

  • MD5

    081617dcf0fbc8878a0e597939b8fc27

  • SHA1

    2505f0bed248e108b715b763b3b21b0ceaaf6af8

  • SHA256

    ec4d4e355c7385b42fb551ec97b30aace1b8e46ab647e1e5861b27b5032be642

  • SHA512

    c29cfadc1dc011034a13d6f57984ed2b131455069a31e458d5187b65cb8aacaef49e66dc6886551225e18aeddc7322dd2fc969e1abc1ff260cad1832cbab0009

  • SSDEEP

    96:+gKgksE76eWOr8SG0BxywzRSS7M0ZdVxE+cAsN2ApRmgptCNMPyUg50:+gfkvFWOrQ0BxyazQ0ZdTDA2yRmCCNpi

Score
10/10
orcusstormkittyslnpersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Sln

C2

193.138.195.211:10134

Mutex

eaf050d367294b239fe7db992d6ea4d7

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    svchost

  • taskscheduler_taskname

    svc host

  • watchdog_path

    AppData\svchost.exe

Targets

    • Target

      b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7.exe

    • Size

      12KB

    • MD5

      aba5075740d61e0655ae593bd41c12ed

    • SHA1

      e7b240e772dd8b1101612602cf1b36da5d64ba16

    • SHA256

      b43afa831febdd668c0cbbc00dfd95693337dd76d3afe2e480c8021174429ca7

    • SHA512

      e2569bf4380e8d832c5b91de45ca228446ec600e37ae1ce27b5056fce309f639ac1a4df4a7e09018e694c90478e1c57652beef4c037f1d5d4e94ee6a68807553

    • SSDEEP

      192:UmeH0viGnxDuZ04FBKlTav2r6zWKhVHL2mpH/2mfLA9zxIWNXzya:DeKhDuZ04rCav2rElhVHLRpH/RTAbdzr

    Score
    10/10
    orcusstormkittyslnpersistenceratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Orcurs Rat Executable

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks