General
-
Target
29c34406bc0b9ae5c44474529917fd6e2177f66381131aa2ede5bfb6da334d96.zip
-
Size
2.6MB
-
Sample
230321-r2h5yadd7w
-
MD5
f636f06e1b0627025c4b6527aa6a3c15
-
SHA1
6d3a292c366db88671eb9ff103610e87e3e70cc1
-
SHA256
aafc636bf86569098d54c01b94a582f118f16b6744925ee0b2816164526b2282
-
SHA512
0f3dc26e011057ee0f7b800d5076959eec11c3a87021c64f5e808b387527c585b758f8996a936c9c5ce1fc794819030919c0d9f64b5e2fe12c4c993a1f7b6b62
-
SSDEEP
49152:oB0DpFNItvLdQut9sZ6isNPeSu7v8Dk5bVkt2UVAArch7CfHtS20drVIxTv:oGItvNt9sZVGmR78DAVkEUfrcoHtQrkD
Behavioral task
behavioral1
Sample
29c34406bc0b9ae5c44474529917fd6e2177f66381131aa2ede5bfb6da334d96.exe
Resource
win7-20230220-en
Malware Config
Extracted
orcus
Sln
193.138.195.211:10134
eaf050d367294b239fe7db992d6ea4d7
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
svc host
-
watchdog_path
AppData\svchost.exe
Targets
-
-
Target
29c34406bc0b9ae5c44474529917fd6e2177f66381131aa2ede5bfb6da334d96.exe
-
Size
3.0MB
-
MD5
203d479f9429a21e92b94181db34c427
-
SHA1
884ed48a71c71dad1601253e95c9ff2f6251a26c
-
SHA256
29c34406bc0b9ae5c44474529917fd6e2177f66381131aa2ede5bfb6da334d96
-
SHA512
6b5ca0ddf134c2b7f350f4a5e77f492edd985fa11d1d70c620068939ea559d9a46bfdf78320f56515f153abcc8630729181dee3dd9e808fff8c53d468f37479a
-
SSDEEP
49152:BOJ3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaJ/nkrrzI0AilFCvxHI:BaGUu1D1Uj6UnypSbzPo9JCme/n
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-