General
-
Target
6d06740fbd595b66c802c2c32fbef399cc1b3dfec45722b67534bf597ee7a388.zip
-
Size
645KB
-
Sample
230321-r2jfpsbc92
-
MD5
72ea7eccb0b6c7cf2e223da35c8770fa
-
SHA1
cb52dc3fc48a089631dd9c777a2176391410fdfd
-
SHA256
91015de41dfac3f4592a6ccb718c3bfe2a32e45266fa9f5cb071ba101b5108f5
-
SHA512
30b24f4df1244760e10567d0df22b530012c33de05d5e895e8fc7ca1d5e4d95d24e74e965b5f6d5a6d183357a55fb97ad5d5f6654358629801903571fdbf1ae5
-
SSDEEP
12288:F1DbXpam/KdZPT/vQkW8+9t1LBZPUlC0FXndMRMCZUkZu5umcs/:FRbqvDokV6tpAnntCiJj/
Malware Config
Extracted
orcus
4.tcp.eu.ngrok.io:16452
e54e0edc2b17490a830bf852d09713b4
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
C:\Windows\Microsoft.NET\Framework64\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
win64host
-
taskscheduler_taskname
win64def
-
watchdog_path
AppData\svchost.exe
Targets
-
-
Target
6d06740fbd595b66c802c2c32fbef399cc1b3dfec45722b67534bf597ee7a388.exe
-
Size
15.0MB
-
MD5
3f3da8bac0a5a861bb9d8cc338277cec
-
SHA1
c4decfc78ea894203ef57400e1378219b452ab85
-
SHA256
6d06740fbd595b66c802c2c32fbef399cc1b3dfec45722b67534bf597ee7a388
-
SHA512
371db6dd0f50770af5f4d73f8f0ebeb157b1fd802c5f1c734276e47d320c7e22638a115dbae1250818f006bb4d1d44e4d12850de61323466b931fbd86e164691
-
SSDEEP
24576:g8c4MROxnFj37rkxrrcI0AilFEvxHPA2eooyD:gGMi1PqrrcI0AilFEvxHPA+
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-