orcus | Qutn[.]exe | Triage

Sharing

General

Target

Qutn.exe
Size

922KB
MD5

761f7b36ea8c6bc31bbe703b584b6721
SHA1

974c10627925ef5a4f6bcba1b0d7cd0ed53f389b
SHA256

67927395d9f2eae1752a3e8bab231342d7f673213574ec6719bb7cea4044c779
SHA512

0d3119e9b26160aa57f98e36cdaf2e0f9a927719488495a3f25966877eb96293a0e88e48bc2b2838193b951db47b8ec8ccdd83ab0f1f85cc912209eeb5482a50
SSDEEP

24576:d1j4MROxnFt3Gc9rrcI0AilFEvxHPQrood:diMijprrcI0AilFEvxHP

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

animals-sewing.at.ply.gg:41503

Mutex

35f7cd8d098f46da804e1423f889bef0

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%/Runtime/RuntimeBroker.exe
reconnect_delay
10000
registry_keyname
WindowsUpdate
taskscheduler_taskname
Orcus
watchdog_path
AppData\RuntimeBroker.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Files

Qutn.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 919KB - Virtual size: 918KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ