General

  • Target

    77c7d93af82e198e1b9747ba69201d9b

  • Size

    1.0MB

  • Sample

    240126-te3xyahcb8

  • MD5

    77c7d93af82e198e1b9747ba69201d9b

  • SHA1

    ca556d4b31b9b0249556f8677837349025d66f1d

  • SHA256

    ef6c7b15e6b1f50e1f6095866b38752bb579c7b3db0cd16bcfe98168a49694ed

  • SHA512

    c1ac7c068ddc385ab701c3a7e516453539070223360c7cec0b7a97f909fcce296d0b20d55d5d8446a635ce3c0e4f4a2e49f92d580b06f2dff969e7fa186f1e69

  • SSDEEP

    24576:DsnlzLQ/n6Gk7iUZOxEIHrjpisuPj19rpTyEfFn8NBVxMGlw:DslgwuEILNipGAFnoBZlw

Malware Config

Extracted

Family

orcus

Botnet

X-Ray

C2

84.211.45.112:1085

Mutex

2df7378048d342cd973fd1b9a4443c5b

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Windows

  • taskscheduler_taskname

    Windows Audio

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      Xray/X-Ray.dll

    • Size

      13KB

    • MD5

      bedf2fd3ae2d7aede5f561fec0fbd068

    • SHA1

      5ea14d9a83e937f6cd2737e12764bab1583b88b3

    • SHA256

      5d39f2f72dd0bccc6dfb6e193cb9d857126822af77d8481295fbcda863d38a61

    • SHA512

      bd698f0d081b3160cb357bd172c4da20df151dcbac6f4ec98ab6eb3a1baea2937bd219cc56d972d72111fd5ec47da85e7358877702277177f32eb96a9c46c0b1

    • SSDEEP

      192:oUG1JOVPbkgS8EosdO6XvhF08SKp8stYcFASVc03KY:AoVPbkgx+dO6Xv//pptYcFASVc03K

    Score
    1/10
    • Target

      Xray/Xray.exe

    • Size

      1.2MB

    • MD5

      f5e40c12c971ed8b0bf3ad8945654905

    • SHA1

      5082c10a069b4f2cc882a5ed2e934b752f4e2a67

    • SHA256

      80280a9b20ac639d841b002238a66bcddeef930e668005da8fc5e2505c577b67

    • SHA512

      7525928dbfedcc0299e0d1f0068d5b942f815e04126ea1b87fc8955016e2e6961f7e07691700c9785fcecb18a21df0fdf97a936d9692613ba1ecc242d14c9372

    • SSDEEP

      12288:gHiLvYSTmLXRzFQwiCXADp9r9sNSoTDCVUjN0ZsCagWdBswgcp4oA+vpDQp5go+1:Z6rRZwXDiXdp0ggWv6oACp47MQ7u

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks