General
-
Target
183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc
-
Size
3.0MB
-
Sample
240201-bdxqesfhe7
-
MD5
b7ee8bc1eb1e49b2350c4a06c0fbde70
-
SHA1
b756d20d3f5c42d7eb05d371b33de4d57fa559cb
-
SHA256
183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc
-
SHA512
1b767b355dfd3c30ba29e1a38ab139b7a22be4aa29085c9c71353ff725a01f64080e836b96f71c5764a11e94e4d90394401ee9a04404e7ff365c1fef860e99eb
-
SSDEEP
49152:TwVN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmBWncFf0I74gu3JM:TM0wGGzBjryX82uypSb9ndo9JCm
Behavioral task
behavioral1
Sample
183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc.exe
Resource
win7-20231215-en
Malware Config
Extracted
orcus
191.101.34.192:58038
744935b914914972951ad8d87606b25a
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\SystemWorker\SystemWorker.exe
-
reconnect_delay
10000
-
registry_keyname
SystemWorker
-
taskscheduler_taskname
System
-
watchdog_path
AppData\SystemWorker.exe
Targets
-
-
Target
183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc
-
Size
3.0MB
-
MD5
b7ee8bc1eb1e49b2350c4a06c0fbde70
-
SHA1
b756d20d3f5c42d7eb05d371b33de4d57fa559cb
-
SHA256
183b565e13e79e6e5b003d9a2b48dd4d84f6768fa9aa3449b6994358e77e53cc
-
SHA512
1b767b355dfd3c30ba29e1a38ab139b7a22be4aa29085c9c71353ff725a01f64080e836b96f71c5764a11e94e4d90394401ee9a04404e7ff365c1fef860e99eb
-
SSDEEP
49152:TwVN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmBWncFf0I74gu3JM:TM0wGGzBjryX82uypSb9ndo9JCm
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-