General

  • Target

    f76c01d9cf15bd8b368e0661ce47c8eada088759e244101747d6cf3df9161833

  • Size

    925KB

  • Sample

    240131-bq8nfsaddp

  • MD5

    b3c6c1e973643914ab40054f76e48568

  • SHA1

    b4d8cb61b7f050bae35a1360949f14c98522be37

  • SHA256

    f76c01d9cf15bd8b368e0661ce47c8eada088759e244101747d6cf3df9161833

  • SHA512

    0296537a03142f80f7a11b9136b55d8f8eab01dbf46399622eaf2843d440939ad13195b69a62e56ad1fbc2019950b29b6af238ad491882bcd802884b34619230

  • SSDEEP

    24576:lGOd4MROxnFE3drXpRrZlI0AilFEvxHi8S0:lGdMiudpRrZlI0AilFEvxHi8

Malware Config

Extracted

Family

orcus

C2

192.168.0.200:10134

Mutex

9673c6daa5c54addb2111622cd9568e5

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    nura

  • taskscheduler_taskname

    nra

  • watchdog_path

    AppData\HFKAHSFAS.exe

Targets

    • Target

      f76c01d9cf15bd8b368e0661ce47c8eada088759e244101747d6cf3df9161833

    • Size

      925KB

    • MD5

      b3c6c1e973643914ab40054f76e48568

    • SHA1

      b4d8cb61b7f050bae35a1360949f14c98522be37

    • SHA256

      f76c01d9cf15bd8b368e0661ce47c8eada088759e244101747d6cf3df9161833

    • SHA512

      0296537a03142f80f7a11b9136b55d8f8eab01dbf46399622eaf2843d440939ad13195b69a62e56ad1fbc2019950b29b6af238ad491882bcd802884b34619230

    • SSDEEP

      24576:lGOd4MROxnFE3drXpRrZlI0AilFEvxHi8S0:lGdMiudpRrZlI0AilFEvxHi8

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks