General

  • Target

    89ac4c14b682cf9733a23a7b729eca9b22b87ddf8062063b6a04c18bfd4a1636

  • Size

    960KB

  • Sample

    240203-bt91padga8

  • MD5

    b1cd43cc89837b25964fed9f6e12b957

  • SHA1

    30c58e4b0f8164c9eec1bfd5a392577597ddeef5

  • SHA256

    89ac4c14b682cf9733a23a7b729eca9b22b87ddf8062063b6a04c18bfd4a1636

  • SHA512

    c5886e6559557c7717477bcfcb7cdc555e75319f83eb2a0055eb1f923c428023d6eb0b3c6812df7ee7e4fcd96ac3ce7dc11f90ed57769f72f2297e9e94ed4146

  • SSDEEP

    24576:rKW4MROxnF53CwrrcI0AilFEvxHPiooe:rOMi7CwrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

10.18.9.58:3800

Mutex

56f69327abaf4abeb9278028d48453be

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %localappdata%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\ZoomUpdate.exe

Targets

    • Target

      89ac4c14b682cf9733a23a7b729eca9b22b87ddf8062063b6a04c18bfd4a1636

    • Size

      960KB

    • MD5

      b1cd43cc89837b25964fed9f6e12b957

    • SHA1

      30c58e4b0f8164c9eec1bfd5a392577597ddeef5

    • SHA256

      89ac4c14b682cf9733a23a7b729eca9b22b87ddf8062063b6a04c18bfd4a1636

    • SHA512

      c5886e6559557c7717477bcfcb7cdc555e75319f83eb2a0055eb1f923c428023d6eb0b3c6812df7ee7e4fcd96ac3ce7dc11f90ed57769f72f2297e9e94ed4146

    • SSDEEP

      24576:rKW4MROxnF53CwrrcI0AilFEvxHPiooe:rOMi7CwrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks