orcus | iklg[.]exe | Triage

Sharing

General

Target

iklg.exe
Size

920KB
MD5

4317ae5bbe5eb716861e943a50556f1e
SHA1

40390d48575b55dd3b56108f1aa98d99065850d9
SHA256

d0e9567a2ffa4575fa10e8de3197c3c77b435030474271f17875908b8ed2d90e
SHA512

b89242de92b108b604c562defa9217f7130aea81c4328811749c703296bdfa2af708b8e5a968985afd1c87c73ddd47a44d83f78b8144c4c9746c6d8224e7c1ad
SSDEEP

24576:/kL94MROxnFt3QcbrrcI0AilFEvxHP59oou:cWMij1rrcI0AilFEvxHP5

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

animals-sewing.at.ply.gg:41503

Mutex

82ec839ddf304deb8c129b9e478b8fbd

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Runtime\RuntimeBroker.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\RuntimeBroker.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Files

iklg.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 917KB - Virtual size: 917KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ