orcus | 30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db[.]exe[.]zip

General

Target

30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db.exe.zip
Size

617KB
MD5

503a4e86e4c3b9357238dcd8a3cfa5b9
SHA1

c35dc57a6598a82e83716401a1c6496a242a23e5
SHA256

782f7242910234ea11f7f59cc954f0938ec04b2c25c0d27af969d9c3f60a320c
SHA512

5c540f572399bc08651a76c5c750b10859c8afcd1d3dec5c6c603d0d1e8392fd530b0142b1c2e21cd7047325824d15ad3c090a8e0f9809d0aa7dc212e950252f
SSDEEP

12288:NQlOGtCGgWc+M9lU6kTbps4OgwLPiGn0ZND0m/hai6xOJyQEJY242zis0oC7K:NQlLc9Wc+y9kBsGijnGND0m/hfzxuYsZ

Score

10^/10

scammers orcus

Family

orcus

Botnet

Scammers

C2

44.203.122.41:1604

Mutex

b040a0c11d1a4273bc5428c0c9cb2c5b

Attributes

Orcurs Rat Executable 1 IoCs

resource	yara_rule
static1/unpack001/30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db.exe	orcus

Orcus main payload 1 IoCs

resource	yara_rule
static1/unpack001/30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db.exe	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db.exe

30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db.exe.zip
.zip

Password: infected
30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db.exe
.exe windows:4 windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 915KB - Virtual size: 915KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ