General
-
Target
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.zip
-
Size
587KB
-
Sample
230321-r2kc1add7z
-
MD5
32fb004f6f9b11926725fb875479dd8e
-
SHA1
5443f49e5f111cb7bbd6b7aea6c039e0daa2911a
-
SHA256
144947ddb462ddbdb8a4f1e3fdca9278e268e5fb918f154897477776676cdf7a
-
SHA512
d95f77bf685fc6c6668eb25e65ea8b346adfb6440f10b95b6c4e4bc0866acead0744097f3f9a9376cc82a66586c2a9ad793ef5c478048254c386c3ede7cbd643
-
SSDEEP
12288:XwlXNwE4as62IibxMOv1fVMnHPLi65AuBML2e4z4TXmqYtR:AcEmea51fVKTT5pML2e24jmF
Behavioral task
behavioral1
Sample
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
orcus
4.tcp.eu.ngrok.io:16452
1b704d0841c7486288b6ef5dfe82a084
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
Cortana
-
watchdog_path
AppData\WindowsDefender.exe
Targets
-
-
Target
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
-
Size
905KB
-
MD5
184e63d8cc64364cc3878378e56874ec
-
SHA1
29b0f6419e8d44ac70f0a8a8e91175b46238d093
-
SHA256
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60
-
SHA512
5f8254cdcd387f496ab5c3e6a77552264ead620721f27ef080c5139dacfc923345db030132f54791c64e7ae18b1aec14fbb7cf4a2111e22d8e6b93a40e560e8d
-
SSDEEP
24576:9Aw4MROxnFj3IrkxrrcI0AilFEvxHPTToo4:9WMi1UqrrcI0AilFEvxHP
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-