General
-
Target
131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.zip
-
Size
590KB
-
Sample
230321-r2ht6sdd7v
-
MD5
76ceddf2b523f448b70be353ccbe9f49
-
SHA1
a977ea3948f550a5b4b0fccc2bc6eb7b9369f102
-
SHA256
860a91929d180d1793d22d43b7815e0b0ef5dcdd74a235427c7063b15b141724
-
SHA512
2054961a98e491d7c9cbcbc448d1e3ad4a5b395e9766987ac4a02b0159666db7329d143f5f23591b97ecb9585f2c2c03e2c3b582d49426d2a325f8843a374e14
-
SSDEEP
12288:NRdMY/C3TQw0xRNvQhfsCGnfdkwrKTa1nVDiUN+SbymLkmjDQ:7dMsvw0FvQh0b1kfToVnNVumQmjE
Malware Config
Extracted
orcus
45.81.39.83:3456
4912f043b8a245f39167b534cb611529
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e.exe
-
Size
910KB
-
MD5
c7fdf7d3486fad12c07ac3a3da853fca
-
SHA1
4f1239e364ba469d8252dd17c25fdfc2f096eb65
-
SHA256
131607fdc98a5a6005a3e2ed447a9a646a2b5fd37d0d69d19bc6ff446712d69e
-
SHA512
7d8cc340b3e2d059744457d95ecea7e4f1f6a80be508a86125a418782da5b06bd62106a44830825b9fda501bd6c4099487729d3120c111a60766e2bee5890292
-
SSDEEP
24576:keu4MROxnFf3xsPekrZlI0AilFEvxHith4:ketMidsrZlI0AilFEvxHit
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-