orcus | CheatHubLauncher[.]exe | Triage

Sharing

General

Target

CheatHubLauncher.exe
Size

12.8MB
MD5

0fb32f1fc38ca023300ba5a7b339bbb9
SHA1

4cb9f12f4c6ad6fab6926c50116de275f8f75366
SHA256

e8f8f059c4850f230af003ad19f23450b4f80df8a58fa547293298f31c6f453a
SHA512

91db621ad5a5280102aad31a366a24b4b08148dc4bb706322bd79ed284fe0060691163aefdb0d74d374dc580d5136a849df1a009235d55c7c71f22bd664b922f
SSDEEP

24576:jhf4MROxnFj3JrkxrrcI0AilFEvxHP2ooOtmUh+P:jSMi19qrrcI0AilFEvxHPrmUh+

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

6.tcp.eu.ngrok.io:15409

Mutex

4f410509b9144dd9acb87977aa081e27

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
C:\Windows\security\logs\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchost
watchdog_path
AppData\svchost.exe

Signatures

Orcurs Rat Executable 1 IoCs

Processes:

resource yara_rule

sample orcus
Orcus family
orcus
Orcus main payload 1 IoCs

Processes:

resource yara_rule

sample family_orcus

Files

CheatHubLauncher.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 903KB - Virtual size: 902KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 135KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ