General
-
Target
Orcus_Vgk.exe
-
Size
3.7MB
-
Sample
230322-esslsseg52
-
MD5
1e88604f32e24a69fcccf04bcb5a8fa0
-
SHA1
84f22a7ed74ce0ae4643c84343c0d2b94ceb16bf
-
SHA256
2d711cdf078f65d2ec4869021fba98d9d2d4d0d27d89e7a8825ad6f659200505
-
SHA512
0e21e15646e7acbec56cc148e60367387bd9002a16e37748903ada8c23b01918fcff5c7f2cf72a385ab23aa14e841babe7604eaec35b034d92f38820095bd9e2
-
SSDEEP
98304:nxULIzdQpR9cUEQZD8Q41wKE7WZBAIbbAhP3w3/yo:xUWI9bEMX4iL7UBAeAhPg3r
Malware Config
Targets
-
-
Target
Orcus_Vgk.exe
-
Size
3.7MB
-
MD5
1e88604f32e24a69fcccf04bcb5a8fa0
-
SHA1
84f22a7ed74ce0ae4643c84343c0d2b94ceb16bf
-
SHA256
2d711cdf078f65d2ec4869021fba98d9d2d4d0d27d89e7a8825ad6f659200505
-
SHA512
0e21e15646e7acbec56cc148e60367387bd9002a16e37748903ada8c23b01918fcff5c7f2cf72a385ab23aa14e841babe7604eaec35b034d92f38820095bd9e2
-
SSDEEP
98304:nxULIzdQpR9cUEQZD8Q41wKE7WZBAIbbAhP3w3/yo:xUWI9bEMX4iL7UBAeAhPg3r
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-