orcus | Visual C++ Redist (x64)[.]exe | Triage

Sharing

General

Target

Visual C++ Redist (x64).exe
Size

3.1MB
MD5

d5c3bcc07ed188f8ad02b3671184e76a
SHA1

5502546397226e043605aa331196ed73c5394548
SHA256

3cfeff542e0b4f952369516566b67fe95dc2d79dab6d7cb5dc399b609395bf54
SHA512

201d152c36f7367675af5f9c2c823fae7617987e215fda0e12eac4c12bf0ab96dedcddcb6e46bc6f1b3b83c07c22af48451e2bf8d76945882a8ea9a04b40266e
SSDEEP

49152:ucUjQZKMR9kmWg8LXoI9ahqmK0fEAypQxbyo9JnCme8ArCXII6iEFCvxHP:uDjXSSJg8zomah1KqypSbyo9JCm5

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:10134

Mutex

b59cd5ae9a4e4817a52088189ca08282

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Microsoft\VisualCppUpdater.exe
reconnect_delay
0
registry_keyname
Orcus
taskscheduler_taskname
VisualCpp
watchdog_path
AppData\VisualCppUpdater.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Visual C++ Redist (x64).exe

Files

Visual C++ Redist (x64).exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 168KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ