General

  • Target

    398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d

  • Size

    3.0MB

  • Sample

    240211-bdcp9aag31

  • MD5

    33fb4c25d6d27630a20791a37547a11d

  • SHA1

    a1d4d6c542fdfab4b8f3b4eec566a73631e4bb37

  • SHA256

    398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d

  • SHA512

    e934731c40efa489f10540d0ae0b6008636993d6c0b324ccfcf37325c39e752a366aa2b22501b6f451e3dffdd818f79488df0653e34c6193468d064317c13536

  • SSDEEP

    49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm

Malware Config

Extracted

Family

orcus

Botnet

psevdo

C2

31.44.184.52:13642

Mutex

sudo_avwprskj2xlyk48lnfog2lolkkoaavrd

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\sqlauth\securewordpress.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d

    • Size

      3.0MB

    • MD5

      33fb4c25d6d27630a20791a37547a11d

    • SHA1

      a1d4d6c542fdfab4b8f3b4eec566a73631e4bb37

    • SHA256

      398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d

    • SHA512

      e934731c40efa489f10540d0ae0b6008636993d6c0b324ccfcf37325c39e752a366aa2b22501b6f451e3dffdd818f79488df0653e34c6193468d064317c13536

    • SSDEEP

      49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks