Overview

overview

10

Static

static

10

29c34406bc...96.exe

windows7-x64

10

29c34406bc...96.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29c34406bc0b9ae5c44474529917fd6e2177f66381131aa2ede5bfb6da334d96.zip

  • Size

    2.6MB

  • Sample

    230321-r2h5yadd7w

  • MD5

    f636f06e1b0627025c4b6527aa6a3c15

  • SHA1

    6d3a292c366db88671eb9ff103610e87e3e70cc1

  • SHA256

    aafc636bf86569098d54c01b94a582f118f16b6744925ee0b2816164526b2282

  • SHA512

    0f3dc26e011057ee0f7b800d5076959eec11c3a87021c64f5e808b387527c585b758f8996a936c9c5ce1fc794819030919c0d9f64b5e2fe12c4c993a1f7b6b62

  • SSDEEP

    49152:oB0DpFNItvLdQut9sZ6isNPeSu7v8Dk5bVkt2UVAArch7CfHtS20drVIxTv:oGItvNt9sZVGmR78DAVkEUfrcoHtQrkD

Score
10/10
orcusslnpersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Sln

C2

193.138.195.211:10134

Mutex

eaf050d367294b239fe7db992d6ea4d7

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    svchost

  • taskscheduler_taskname

    svc host

  • watchdog_path

    AppData\svchost.exe

Targets

    • Target

      29c34406bc0b9ae5c44474529917fd6e2177f66381131aa2ede5bfb6da334d96.exe

    • Size

      3.0MB

    • MD5

      203d479f9429a21e92b94181db34c427

    • SHA1

      884ed48a71c71dad1601253e95c9ff2f6251a26c

    • SHA256

      29c34406bc0b9ae5c44474529917fd6e2177f66381131aa2ede5bfb6da334d96

    • SHA512

      6b5ca0ddf134c2b7f350f4a5e77f492edd985fa11d1d70c620068939ea559d9a46bfdf78320f56515f153abcc8630729181dee3dd9e808fff8c53d468f37479a

    • SSDEEP

      49152:BOJ3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaJ/nkrrzI0AilFCvxHI:BaGUu1D1Uj6UnypSbzPo9JCme/n

    Score
    10/10
    orcusslnpersistenceratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks