General
-
Target
cd9a9c0e29c7e07591ad87e28d052b312b93c239fdabab55cbbf9afebd0ba3f0.zip
-
Size
7.1MB
-
Sample
230321-r2j28sbc94
-
MD5
255edb6f4439b2953ade504c6e5d2a36
-
SHA1
5ce66f844c667cc50eb0b0392d25d296684da9d0
-
SHA256
64de6fd2292adef4c40b4fe55cc202cb2fd18883acf2997060b4a3ac06529391
-
SHA512
9d4b6973fb9ff7f505c72c166eb39df509d68c8e35d9813dbb31b28adc9c69f30e95e2ff105e95e8c68d205132897fb340bfa2b7225035fd1dc97cd5727aa2d6
-
SSDEEP
196608:pV4gvTUxs6zbdPCfktd65hTmxehYAwR+F:pV4aTsdCMfWxO9R+F
Malware Config
Extracted
orcus
147.185.221.229:56094
2a30efd7bd3544ffa164ed58cb94ed39
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\svhost\svhost.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\svhost.exe
Targets
-
-
Target
cd9a9c0e29c7e07591ad87e28d052b312b93c239fdabab55cbbf9afebd0ba3f0.exe
-
Size
7.3MB
-
MD5
d271d5d11c45e5841b7f6be1d44bd316
-
SHA1
264c974fba09da90f4528df17a8347c372813eb8
-
SHA256
cd9a9c0e29c7e07591ad87e28d052b312b93c239fdabab55cbbf9afebd0ba3f0
-
SHA512
8dbda89e55effec0568377bbe6bc004b791326a9b66341a20709ea854b5a217b2a15a026fe8cbeed010fc9fa64aa293737db6a877409043688007fc518a773af
-
SSDEEP
196608:4/QpoaiGxbAQ5owejuJDUX47dwdW0LBXYYPEzZ:3oixCaUX47d4arZ
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-