General

  • Target

    c20234fc458f1e66563e6704c29edaf170095261097b9d0449534cc1e2d52127

  • Size

    910KB

  • Sample

    240209-bdzj1sde8w

  • MD5

    484c14a70d5a26ebdadde4ad5e03779e

  • SHA1

    0e6a5464eb92561eb007f5bd802083c9c6ec1124

  • SHA256

    c20234fc458f1e66563e6704c29edaf170095261097b9d0449534cc1e2d52127

  • SHA512

    faf234088dce7aa431407bc01777fefd5c67ae497ee63468257cc4e8f4bbc5394b8c2e83cf19ef286b5fd0d74a7dd44a133656a454ec3aaa7cf62ac774e2de8e

  • SSDEEP

    24576:Wam4MROxnFrFPurerrcI0AilFEvxHPh5ooT:WOMiMerrcI0AilFEvxHPh

Malware Config

Extracted

Family

orcus

Botnet

penis

C2

obfuscated.us:8080

Mutex

41fdffd0276c4314a5a934c62fb1022f

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\System\System

  • reconnect_delay

    10000

  • registry_keyname

    System39

  • taskscheduler_taskname

    System39

  • watchdog_path

    AppData\System.exe

Targets

    • Target

      c20234fc458f1e66563e6704c29edaf170095261097b9d0449534cc1e2d52127

    • Size

      910KB

    • MD5

      484c14a70d5a26ebdadde4ad5e03779e

    • SHA1

      0e6a5464eb92561eb007f5bd802083c9c6ec1124

    • SHA256

      c20234fc458f1e66563e6704c29edaf170095261097b9d0449534cc1e2d52127

    • SHA512

      faf234088dce7aa431407bc01777fefd5c67ae497ee63468257cc4e8f4bbc5394b8c2e83cf19ef286b5fd0d74a7dd44a133656a454ec3aaa7cf62ac774e2de8e

    • SSDEEP

      24576:Wam4MROxnFrFPurerrcI0AilFEvxHPh5ooT:WOMiMerrcI0AilFEvxHPh

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks