General
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/results?search_query=%D0%92%D0%B7%D0%BB%D0%BE%D0%BC+%D0%BE%D0%BF%D0%BA%D0%B8+%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0
Resource
win10v2004-20231222-en
Malware Config
Extracted
redline
45.15.156.127:48665
Extracted
orcus
Новый тег
31.44.184.52:56938
sudo_q4so8xcq742rnr21qk66eif9iz5y60wr
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\requestsqltest\trackdle.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Targets
-
-
Target
https://www.youtube.com/results?search_query=%D0%92%D0%B7%D0%BB%D0%BE%D0%BC+%D0%BE%D0%BF%D0%BA%D0%B8+%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0
-
Orcus main payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-