General

  • Target

    183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc

  • Size

    3.0MB

  • Sample

    240201-bdxqesfhe7

  • MD5

    b7ee8bc1eb1e49b2350c4a06c0fbde70

  • SHA1

    b756d20d3f5c42d7eb05d371b33de4d57fa559cb

  • SHA256

    183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc

  • SHA512

    1b767b355dfd3c30ba29e1a38ab139b7a22be4aa29085c9c71353ff725a01f64080e836b96f71c5764a11e94e4d90394401ee9a04404e7ff365c1fef860e99eb

  • SSDEEP

    49152:TwVN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmBWncFf0I74gu3JM:TM0wGGzBjryX82uypSb9ndo9JCm

Malware Config

Extracted

Family

orcus

C2

191.101.34.192:58038

Mutex

744935b914914972951ad8d87606b25a

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\SystemWorker\SystemWorker.exe

  • reconnect_delay

    10000

  • registry_keyname

    SystemWorker

  • taskscheduler_taskname

    System

  • watchdog_path

    AppData\SystemWorker.exe

Targets

    • Target

      183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc

    • Size

      3.0MB

    • MD5

      b7ee8bc1eb1e49b2350c4a06c0fbde70

    • SHA1

      b756d20d3f5c42d7eb05d371b33de4d57fa559cb

    • SHA256

      183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc

    • SHA512

      1b767b355dfd3c30ba29e1a38ab139b7a22be4aa29085c9c71353ff725a01f64080e836b96f71c5764a11e94e4d90394401ee9a04404e7ff365c1fef860e99eb

    • SSDEEP

      49152:TwVN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmBWncFf0I74gu3JM:TM0wGGzBjryX82uypSb9ndo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks