General
-
Target
aef80451792e9ac3dea38a82f6dafaf5b7c8b6171c4848e02716c7fe1238423d.exe
-
Size
3.0MB
-
Sample
240127-lts3aabdhk
-
MD5
86dfb83aa782af9e944be99b69f2360f
-
SHA1
541893dca682deeeb2af6a0af5a13b286a315ad6
-
SHA256
62b6dca4b7b00d31792b9559464968cc14e14e2c91e2a0df4ae6374581dee44f
-
SHA512
136c5a4148c23f7de59d908f90b529b0576aff2e61de42c6fcb62b95ad5275693204360bcedf46c2060ab0518db96fb818b8fe34b8fa36978de289e890727bb8
-
SSDEEP
98304:U5aFSzR+1R4LJXu9uzn+kdoj26YLXQ4HFdt+RNeE8e:U5aFI+1R4VSuzn+IoK6cXQ4ldARNce
Static task
static1
Behavioral task
behavioral1
Sample
aef80451792e9ac3dea38a82f6dafaf5b7c8b6171c4848e02716c7fe1238423d.exe
Resource
win7-20231215-en
Malware Config
Extracted
orcus
0810
128.59.46.185:58101
sudo_krj7i3ftgkv1pf63olmxi42entmcqv5d
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\apitemp\tojavascript.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Targets
-
-
Target
aef80451792e9ac3dea38a82f6dafaf5b7c8b6171c4848e02716c7fe1238423d.exe
-
Size
3.0MB
-
MD5
86dfb83aa782af9e944be99b69f2360f
-
SHA1
541893dca682deeeb2af6a0af5a13b286a315ad6
-
SHA256
62b6dca4b7b00d31792b9559464968cc14e14e2c91e2a0df4ae6374581dee44f
-
SHA512
136c5a4148c23f7de59d908f90b529b0576aff2e61de42c6fcb62b95ad5275693204360bcedf46c2060ab0518db96fb818b8fe34b8fa36978de289e890727bb8
-
SSDEEP
98304:U5aFSzR+1R4LJXu9uzn+kdoj26YLXQ4HFdt+RNeE8e:U5aFI+1R4VSuzn+IoK6cXQ4ldARNce
-
Orcus main payload
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables manipulated with Fody
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-