General

  • Target

    96c6c8a692801bf8c71e2cbe76ec858c4e2b05b62d5513ab8699fa121478aaa5

  • Size

    5.0MB

  • Sample

    240127-bl7wcsbfam

  • MD5

    9e1d310ca43ece16b4f87ecd6b199f4b

  • SHA1

    e30216e1f9da8549b2a8529735eca256632d2139

  • SHA256

    96c6c8a692801bf8c71e2cbe76ec858c4e2b05b62d5513ab8699fa121478aaa5

  • SHA512

    4e3b1570729cf98bb967d00ae569f9266af658ac9409c53b6fa8cf0eddd63fe8ab2aab4c3075500ee951a9cbcec84fa0b0d12be2e6647b6956c8578073533753

  • SSDEEP

    24576:6Eqr4MROxnFi3NUrBrZlI0AilFEvxHi/1:6EjMioCVrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

77.246.110.208:8888

Mutex

9a11a86ac0a34ca2a13e9c521e64f838

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Steam\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    svchost

  • taskscheduler_taskname

    svchost

  • watchdog_path

    Temp\svchost.exe

Targets

    • Target

      96c6c8a692801bf8c71e2cbe76ec858c4e2b05b62d5513ab8699fa121478aaa5

    • Size

      5.0MB

    • MD5

      9e1d310ca43ece16b4f87ecd6b199f4b

    • SHA1

      e30216e1f9da8549b2a8529735eca256632d2139

    • SHA256

      96c6c8a692801bf8c71e2cbe76ec858c4e2b05b62d5513ab8699fa121478aaa5

    • SHA512

      4e3b1570729cf98bb967d00ae569f9266af658ac9409c53b6fa8cf0eddd63fe8ab2aab4c3075500ee951a9cbcec84fa0b0d12be2e6647b6956c8578073533753

    • SSDEEP

      24576:6Eqr4MROxnFi3NUrBrZlI0AilFEvxHi/1:6EjMioCVrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks