Behavioral task
behavioral1
Sample
02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe
Resource
win7-20231215-en
General
-
Target
02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c
-
Size
1.0MB
-
MD5
b09d835b1c8bf6c5c24c5c958d8dea82
-
SHA1
bf4511de1e9e27f76ecd3cefe1a3392b00329ac2
-
SHA256
02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c
-
SHA512
086605f75ff971eda077ee494b8a3dc8edda4cffa6071156638cb3d189a8cc91d1449b8dc8848df6d3a190443eb53af19ca74d55e31c8a20b4cc1feef1d9bcba
-
SSDEEP
24576:k4I4MROxnFSx3UUDqrrcI0AilFEvxHPfMCYooE4:kaMiYJUUGrrcI0AilFEvxHPfJN
Malware Config
Extracted
orcus
4.tcp.eu.ngrok.io:14390
381f52cc4da947c788fee861bc207f0e
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Steam Helper\Steam.exe
-
reconnect_delay
10000
-
registry_keyname
UpdateSystem32
-
taskscheduler_taskname
Системные прирывания
-
watchdog_path
Temp\Update Defender.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule sample orcus -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule sample family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c
Files
-
02cb3ad1448449e784cb51f4238da4fe10abe0f9e11642c32399cb2d2972cc4c.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 932KB - Virtual size: 932KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 114KB - Virtual size: 113KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ