General

  • Target

    aef80451792e9ac3dea38a82f6dafaf5b7c8b6171c4848e02716c7fe1238423d.exe

  • Size

    3.0MB

  • Sample

    240127-lts3aabdhk

  • MD5

    86dfb83aa782af9e944be99b69f2360f

  • SHA1

    541893dca682deeeb2af6a0af5a13b286a315ad6

  • SHA256

    62b6dca4b7b00d31792b9559464968cc14e14e2c91e2a0df4ae6374581dee44f

  • SHA512

    136c5a4148c23f7de59d908f90b529b0576aff2e61de42c6fcb62b95ad5275693204360bcedf46c2060ab0518db96fb818b8fe34b8fa36978de289e890727bb8

  • SSDEEP

    98304:U5aFSzR+1R4LJXu9uzn+kdoj26YLXQ4HFdt+RNeE8e:U5aFI+1R4VSuzn+IoK6cXQ4ldARNce

Malware Config

Extracted

Family

orcus

Botnet

0810

C2

128.59.46.185:58101

Mutex

sudo_krj7i3ftgkv1pf63olmxi42entmcqv5d

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\apitemp\tojavascript.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      aef80451792e9ac3dea38a82f6dafaf5b7c8b6171c4848e02716c7fe1238423d.exe

    • Size

      3.0MB

    • MD5

      86dfb83aa782af9e944be99b69f2360f

    • SHA1

      541893dca682deeeb2af6a0af5a13b286a315ad6

    • SHA256

      62b6dca4b7b00d31792b9559464968cc14e14e2c91e2a0df4ae6374581dee44f

    • SHA512

      136c5a4148c23f7de59d908f90b529b0576aff2e61de42c6fcb62b95ad5275693204360bcedf46c2060ab0518db96fb818b8fe34b8fa36978de289e890727bb8

    • SSDEEP

      98304:U5aFSzR+1R4LJXu9uzn+kdoj26YLXQ4HFdt+RNeE8e:U5aFI+1R4VSuzn+IoK6cXQ4ldARNce

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables manipulated with Fody

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks