General

  • Target

    f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a

  • Size

    3.0MB

  • Sample

    240209-bp17zsdf9w

  • MD5

    23f4e9c9b708ba86f0b4746fcefd7caf

  • SHA1

    b233e4c368018bf50941b785190abd88129fc8ca

  • SHA256

    f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a

  • SHA512

    fcec609cb9375b40bcae6f2a529c7bf2d0e0ad91674984addb6180d388216c80d3e6373d9949c16f5937bb9ba76993f29ec08e4079260a46015e99b62759a329

  • SSDEEP

    49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

C2

31.44.184.52:58576

Mutex

sudo_1v7mey0zzj7ysiavya22l201c5apuze4

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\linuxflowergeo\uploadstrack.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a

    • Size

      3.0MB

    • MD5

      23f4e9c9b708ba86f0b4746fcefd7caf

    • SHA1

      b233e4c368018bf50941b785190abd88129fc8ca

    • SHA256

      f118ffc20242135275dfbf8832e41f986cfce096055693b8a5b06afaa9f8ca5a

    • SHA512

      fcec609cb9375b40bcae6f2a529c7bf2d0e0ad91674984addb6180d388216c80d3e6373d9949c16f5937bb9ba76993f29ec08e4079260a46015e99b62759a329

    • SSDEEP

      49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks