Overview

overview

10

Static

static

10

Qutn.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Qutn.exe

  • Size

    922KB

  • Sample

    230413-s7zkjscd76

  • MD5

    761f7b36ea8c6bc31bbe703b584b6721

  • SHA1

    974c10627925ef5a4f6bcba1b0d7cd0ed53f389b

  • SHA256

    67927395d9f2eae1752a3e8bab231342d7f673213574ec6719bb7cea4044c779

  • SHA512

    0d3119e9b26160aa57f98e36cdaf2e0f9a927719488495a3f25966877eb96293a0e88e48bc2b2838193b951db47b8ec8ccdd83ab0f1f85cc912209eeb5482a50

  • SSDEEP

    24576:d1j4MROxnFt3Gc9rrcI0AilFEvxHPQrood:diMijprrcI0AilFEvxHP

Score
10/10
orcusratspywarestealer

Malware Config

Extracted

Family

orcus

C2

animals-sewing.at.ply.gg:41503

Mutex

35f7cd8d098f46da804e1423f889bef0

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%/Runtime/RuntimeBroker.exe

  • reconnect_delay

    10000

  • registry_keyname

    WindowsUpdate

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\RuntimeBroker.exe

Targets

    • Target

      Qutn.exe

    • Size

      922KB

    • MD5

      761f7b36ea8c6bc31bbe703b584b6721

    • SHA1

      974c10627925ef5a4f6bcba1b0d7cd0ed53f389b

    • SHA256

      67927395d9f2eae1752a3e8bab231342d7f673213574ec6719bb7cea4044c779

    • SHA512

      0d3119e9b26160aa57f98e36cdaf2e0f9a927719488495a3f25966877eb96293a0e88e48bc2b2838193b951db47b8ec8ccdd83ab0f1f85cc912209eeb5482a50

    • SSDEEP

      24576:d1j4MROxnFt3Gc9rrcI0AilFEvxHPQrood:diMijprrcI0AilFEvxHP

    Score
    10/10
    orcusratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks