orcus | 403990c6cbb042f7c1f5e57177272f81 | Triage

Sharing

General

Target

403990c6cbb042f7c1f5e57177272f81
Size

1.3MB
MD5

403990c6cbb042f7c1f5e57177272f81
SHA1

ab9ef44ed7b93ecf7b6c43f23d75a3f2dc9d5a1b
SHA256

42af92e5be37c1daddda7672372a39ccebb24d31d2ea65bec2a74dfbc3a4e82c
SHA512

cb1adffb69f4ff6a62257325504cebc41d22f41910a41eae9c04ec5327da9f58fb652e79b87f580c7ac6f81f27cf2fba77b4fc3947b27dd59ae376f2d7c57ee5
SSDEEP

24576:hW5Df+qq6n4nP3P/oldSC+v18pqOxtKBsYOkP7Jz5I4MZ+xnF84gv41bb1tnKx4/:h9tvMqkm15SnDF5IPsmAjinh

Score

10^/10

audio orcus

Malware Config

Extracted

Family

orcus

Botnet

Audio

C2

cbm.adenz.top:4444

Mutex

e37e4cf8ebc34e47bb07c6e0844fc04a

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
403990c6cbb042f7c1f5e57177272f81

Files

403990c6cbb042f7c1f5e57177272f81
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 106KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ