General
-
Target
91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123
-
Size
924KB
-
Sample
240202-cyr64seafl
-
MD5
24531eaea23f77871182a8922fb18f14
-
SHA1
ef5087b41ea3ff415fdc157701c02d03201198c1
-
SHA256
91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123
-
SHA512
e85fce664de612bcb10e838d5a91ef48ebd43311ef9d5a0e59ad8b0d3525cb22a68f16eb3182af9a211f2226cfc282c34f79ade30777e7bb1b3f9c261fdcd3ad
-
SSDEEP
24576:REqr4MROxnFE3mrXpcrZlI0AilFEvxHi6L:REjMiuEpcrZlI0AilFEvxHi
Behavioral task
behavioral1
Sample
91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123.exe
Resource
win7-20231215-en
Malware Config
Extracted
orcus
lox
4.tcp.eu.ngrok.io:15752
35c0f1c0701b45399a6e229d4f19963f
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\svhost.exe
-
reconnect_delay
10000
-
registry_keyname
System
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\Svhost.exe
Targets
-
-
Target
91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123
-
Size
924KB
-
MD5
24531eaea23f77871182a8922fb18f14
-
SHA1
ef5087b41ea3ff415fdc157701c02d03201198c1
-
SHA256
91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123
-
SHA512
e85fce664de612bcb10e838d5a91ef48ebd43311ef9d5a0e59ad8b0d3525cb22a68f16eb3182af9a211f2226cfc282c34f79ade30777e7bb1b3f9c261fdcd3ad
-
SSDEEP
24576:REqr4MROxnFE3mrXpcrZlI0AilFEvxHi6L:REjMiuEpcrZlI0AilFEvxHi
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-