General
-
Target
63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e
-
Size
1.0MB
-
Sample
240128-bqltpagca9
-
MD5
c9507cd8bbdd6e98937eed6f088f0bfe
-
SHA1
ea49f6a831dca5522a3d46df8a4a759e84e6b23e
-
SHA256
63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e
-
SHA512
732430099b4fbfc092eacb779349d5952b88c9305c9afc0abb2a82bcc6b46ff4db22199a432b7b47d3f0000549dde4daabc0b83939a6a06626d143b2cc809ad6
-
SSDEEP
24576:ZBOgWqxn8atesmz+eUbjnAZOl4fsceI9SdP8xsd2lUFC648s3Xi8MIPDC+z3EytH:Zg0Ism5E4fsXVYi4zH3Xi8M2DtzUytIK
Static task
static1
Behavioral task
behavioral1
Sample
63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
orcus
77.246.110.208:8888
9a11a86ac0a34ca2a13e9c521e64f838
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Steam\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
svchost
-
watchdog_path
Temp\svchost.exe
Targets
-
-
Target
63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e
-
Size
1.0MB
-
MD5
c9507cd8bbdd6e98937eed6f088f0bfe
-
SHA1
ea49f6a831dca5522a3d46df8a4a759e84e6b23e
-
SHA256
63cc88701c5094a48b8fbe367c69dcce3aefbd9fe1f2d1065820cdbe34d7d35e
-
SHA512
732430099b4fbfc092eacb779349d5952b88c9305c9afc0abb2a82bcc6b46ff4db22199a432b7b47d3f0000549dde4daabc0b83939a6a06626d143b2cc809ad6
-
SSDEEP
24576:ZBOgWqxn8atesmz+eUbjnAZOl4fsceI9SdP8xsd2lUFC648s3Xi8MIPDC+z3EytH:Zg0Ism5E4fsXVYi4zH3Xi8M2DtzUytIK
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-