Behavioral task
behavioral1
Sample
2ca341bc60674d590069eb99e8bf2ecb8cbf44c0fd0d40e7a7b870f05b5a900c.exe
Resource
win7-20231215-en
General
-
Target
2ca341bc60674d590069eb99e8bf2ecb8cbf44c0fd0d40e7a7b870f05b5a900c
-
Size
1.1MB
-
MD5
34b6450b9e4e3b3727ff9d7e9c790d34
-
SHA1
edbbd2c236ac2fe7402b938199b70f3510c2c58c
-
SHA256
2ca341bc60674d590069eb99e8bf2ecb8cbf44c0fd0d40e7a7b870f05b5a900c
-
SHA512
65349b6632615201537f9f1791f52de07d1ee101edddc1696916dfb02b320c45272be95286b25c4a743cf6b8889489f6e7b93c774ded6c46b98a74337748da38
-
SSDEEP
24576:H884MROxnFE3ci3rrcI0AilFEvxHPpoot:HGMiuv3rrcI0AilFEvxHP
Malware Config
Extracted
orcus
0.tcp.eu.ngrok.io:12187
f78b25f6477f429680c2e1eadc9b201c
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\svchost\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\svchost.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule sample orcus -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule sample family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 2ca341bc60674d590069eb99e8bf2ecb8cbf44c0fd0d40e7a7b870f05b5a900c
Files
-
2ca341bc60674d590069eb99e8bf2ecb8cbf44c0fd0d40e7a7b870f05b5a900c.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 921KB - Virtual size: 921KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 251KB - Virtual size: 250KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ