General

  • Target

    63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e

  • Size

    1.0MB

  • Sample

    240128-bqltpagca9

  • MD5

    c9507cd8bbdd6e98937eed6f088f0bfe

  • SHA1

    ea49f6a831dca5522a3d46df8a4a759e84e6b23e

  • SHA256

    63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e

  • SHA512

    732430099b4fbfc092eacb779349d5952b88c9305c9afc0abb2a82bcc6b46ff4db22199a432b7b47d3f0000549dde4daabc0b83939a6a06626d143b2cc809ad6

  • SSDEEP

    24576:ZBOgWqxn8atesmz+eUbjnAZOl4fsceI9SdP8xsd2lUFC648s3Xi8MIPDC+z3EytH:Zg0Ism5E4fsXVYi4zH3Xi8M2DtzUytIK

Malware Config

Extracted

Family

orcus

C2

77.246.110.208:8888

Mutex

9a11a86ac0a34ca2a13e9c521e64f838

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Steam\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    svchost

  • taskscheduler_taskname

    svchost

  • watchdog_path

    Temp\svchost.exe

Targets

    • Target

      63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e

    • Size

      1.0MB

    • MD5

      c9507cd8bbdd6e98937eed6f088f0bfe

    • SHA1

      ea49f6a831dca5522a3d46df8a4a759e84e6b23e

    • SHA256

      63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e

    • SHA512

      732430099b4fbfc092eacb779349d5952b88c9305c9afc0abb2a82bcc6b46ff4db22199a432b7b47d3f0000549dde4daabc0b83939a6a06626d143b2cc809ad6

    • SSDEEP

      24576:ZBOgWqxn8atesmz+eUbjnAZOl4fsceI9SdP8xsd2lUFC648s3Xi8MIPDC+z3EytH:Zg0Ism5E4fsXVYi4zH3Xi8M2DtzUytIK

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks