orcus | 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4 | Triage

Sharing

General

Target

23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4
Size

920KB
MD5

753505f665835e0f8542f83252d8251c
SHA1

880a37b15bec07ce4ff748fb2e8d138754c8b636
SHA256

23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4
SHA512

91d69bcd0b6dd9e096a31db9c3778432088c69e6d329c12bba7e1803bf0dd7325338d42c76d0b6cb6a8e954a0e931754a3c7cc2f07b7c8b21700ac9b6ad9137c
SSDEEP

24576:iD54MROxnFt34cirrcI0AilFEvxHPf8oom:iSMijgrrcI0AilFEvxHP

Score

10^/10

777 orcus

Malware Config

Extracted

Family

orcus

Botnet

777

C2

10.86.6.129:3333

Mutex

bc671c436af448dd952335335bfcb715

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Windows Start
watchdog_path
AppData\WindowsUpdate.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4

Files

23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 917KB - Virtual size: 917KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ