General
-
Target
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.zip
-
Size
587KB
-
Sample
230321-r2h5yadd7x
-
MD5
9b2e3e28488432c4b0485b3ac06e7fd5
-
SHA1
c3fc54458ab5762a33fb566dbb746fcfda10e6b5
-
SHA256
eac86f0d431431bfa29cfc4bbe2204c4124bce7c53535d37bed26f50a11d5241
-
SHA512
cfa9b7aa7c7ed0062e4e51db478efb7d45a151e683c11e96700c8702f4e3bfcafd63dc78eebfb9de33493cc680e2b6b25037f4bdfe98dc394c67a2658ed7ca0a
-
SSDEEP
12288:lNnP65mrSN0Vl4ATVn/g84Eo4UAwsED0qfJzY18:nni5mrSQlHe4Yj1p
Behavioral task
behavioral1
Sample
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
orcus
4.tcp.eu.ngrok.io:16452
1b704d0841c7486288b6ef5dfe82a084
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
Cortana
-
watchdog_path
AppData\WindowsDefender.exe
Targets
-
-
Target
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
-
Size
905KB
-
MD5
4309184cb5cc16c9d398559f0488664d
-
SHA1
8e9eab97272652afa19b858a8722488388f68968
-
SHA256
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789
-
SHA512
1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e
-
SSDEEP
24576:ZVWC4MROxnFj31rkxrrcI0AilFEvxHPNbyooI:ZqMi1JqrrcI0AilFEvxHP
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-