General

  • Target

    85911e56d41df4ca3d3330ffee637bcea74f11489da6daa988b6411581dd0bbc

  • Size

    891KB

  • Sample

    240128-bkfeqagbc7

  • MD5

    671375c935292a0194ec3edc7bf2c193

  • SHA1

    610cfa8e66962413fd6e11897aea0e831cc311a5

  • SHA256

    85911e56d41df4ca3d3330ffee637bcea74f11489da6daa988b6411581dd0bbc

  • SHA512

    936e406e95a0f10bf1d8c7129853565af85623d72c4a3cf5a3ad1c8d02b4b0ddcb493924d6c456efe01b4b77bc011445ba197c903574e5a6cbb9867533dda075

  • SSDEEP

    24576:eDkUNi1EYqZRoLLzjfk74P1H5PCV6VGMz:eDkUrz0LzgMg9w

Malware Config

Extracted

Family

orcus

C2

192.168.0.103:10134

Mutex

00c1c23b40624c6d8c5da48e48b3abdb

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      85911e56d41df4ca3d3330ffee637bcea74f11489da6daa988b6411581dd0bbc

    • Size

      891KB

    • MD5

      671375c935292a0194ec3edc7bf2c193

    • SHA1

      610cfa8e66962413fd6e11897aea0e831cc311a5

    • SHA256

      85911e56d41df4ca3d3330ffee637bcea74f11489da6daa988b6411581dd0bbc

    • SHA512

      936e406e95a0f10bf1d8c7129853565af85623d72c4a3cf5a3ad1c8d02b4b0ddcb493924d6c456efe01b4b77bc011445ba197c903574e5a6cbb9867533dda075

    • SSDEEP

      24576:eDkUNi1EYqZRoLLzjfk74P1H5PCV6VGMz:eDkUrz0LzgMg9w

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks