General

  • Target

    91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123

  • Size

    924KB

  • Sample

    240202-cyr64seafl

  • MD5

    24531eaea23f77871182a8922fb18f14

  • SHA1

    ef5087b41ea3ff415fdc157701c02d03201198c1

  • SHA256

    91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123

  • SHA512

    e85fce664de612bcb10e838d5a91ef48ebd43311ef9d5a0e59ad8b0d3525cb22a68f16eb3182af9a211f2226cfc282c34f79ade30777e7bb1b3f9c261fdcd3ad

  • SSDEEP

    24576:REqr4MROxnFE3mrXpcrZlI0AilFEvxHi6L:REjMiuEpcrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

Botnet

lox

C2

4.tcp.eu.ngrok.io:15752

Mutex

35c0f1c0701b45399a6e229d4f19963f

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\svhost.exe

  • reconnect_delay

    10000

  • registry_keyname

    System

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\Svhost.exe

Targets

    • Target

      91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123

    • Size

      924KB

    • MD5

      24531eaea23f77871182a8922fb18f14

    • SHA1

      ef5087b41ea3ff415fdc157701c02d03201198c1

    • SHA256

      91f1d59df13a9eee78c99077fac4aef123757339a83f9091e76923a3e9cb1123

    • SHA512

      e85fce664de612bcb10e838d5a91ef48ebd43311ef9d5a0e59ad8b0d3525cb22a68f16eb3182af9a211f2226cfc282c34f79ade30777e7bb1b3f9c261fdcd3ad

    • SSDEEP

      24576:REqr4MROxnFE3mrXpcrZlI0AilFEvxHi6L:REjMiuEpcrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks