General
-
Target
CheatHubLauncher.exe
-
Size
12.8MB
-
Sample
230329-cwajaagb4y
-
MD5
0fb32f1fc38ca023300ba5a7b339bbb9
-
SHA1
4cb9f12f4c6ad6fab6926c50116de275f8f75366
-
SHA256
e8f8f059c4850f230af003ad19f23450b4f80df8a58fa547293298f31c6f453a
-
SHA512
91db621ad5a5280102aad31a366a24b4b08148dc4bb706322bd79ed284fe0060691163aefdb0d74d374dc580d5136a849df1a009235d55c7c71f22bd664b922f
-
SSDEEP
24576:jhf4MROxnFj3JrkxrrcI0AilFEvxHP2ooOtmUh+P:jSMi19qrrcI0AilFEvxHPrmUh+
Behavioral task
behavioral1
Sample
CheatHubLauncher.exe
Resource
win7-20230220-en
Malware Config
Extracted
orcus
6.tcp.eu.ngrok.io:15409
4f410509b9144dd9acb87977aa081e27
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
C:\Windows\security\logs\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
svchost
-
watchdog_path
AppData\svchost.exe
Targets
-
-
Target
CheatHubLauncher.exe
-
Size
12.8MB
-
MD5
0fb32f1fc38ca023300ba5a7b339bbb9
-
SHA1
4cb9f12f4c6ad6fab6926c50116de275f8f75366
-
SHA256
e8f8f059c4850f230af003ad19f23450b4f80df8a58fa547293298f31c6f453a
-
SHA512
91db621ad5a5280102aad31a366a24b4b08148dc4bb706322bd79ed284fe0060691163aefdb0d74d374dc580d5136a849df1a009235d55c7c71f22bd664b922f
-
SSDEEP
24576:jhf4MROxnFj3JrkxrrcI0AilFEvxHP2ooOtmUh+P:jSMi19qrrcI0AilFEvxHPrmUh+
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-