General
-
Target
BubbleGum.exe
-
Size
913KB
-
MD5
748d9e7dded0fe4061365ef179edf7c2
-
SHA1
424e254d2994cc84e9fe25cfa4fa70e0525962f0
-
SHA256
8e95e23ae63cb61ab1ccf577a9fdfc954a86909e0b56ffedba4991ceed2841f1
-
SHA512
bbe3dd8e067c09e783410a230f1abf515e050ee6c88d9b3d6c25a7dda864d3fb94c1fab94ab315393330ec1d645af08571ebc2f8bff5f9db01d5e0e4f5d0ab9e
-
SSDEEP
24576:X0M4MROxnFNFPurerrcI0AilFEvxHPZPooI:XuMieerrcI0AilFEvxHP
Malware Config
Extracted
orcus
192.168.1.78:10134
c29f10c39b8e4ad0bdd582b0231f4e4e
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule sample orcus -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule sample family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource BubbleGum.exe
Files
-
BubbleGum.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 907KB - Virtual size: 907KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ