General
-
Target
398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
-
Size
3.0MB
-
Sample
240211-bdcp9aag31
-
MD5
33fb4c25d6d27630a20791a37547a11d
-
SHA1
a1d4d6c542fdfab4b8f3b4eec566a73631e4bb37
-
SHA256
398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
-
SHA512
e934731c40efa489f10540d0ae0b6008636993d6c0b324ccfcf37325c39e752a366aa2b22501b6f451e3dffdd818f79488df0653e34c6193468d064317c13536
-
SSDEEP
49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm
Behavioral task
behavioral1
Sample
398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d.exe
Resource
win7-20231215-en
Malware Config
Extracted
orcus
psevdo
31.44.184.52:13642
sudo_avwprskj2xlyk48lnfog2lolkkoaavrd
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\sqlauth\securewordpress.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Targets
-
-
Target
398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
-
Size
3.0MB
-
MD5
33fb4c25d6d27630a20791a37547a11d
-
SHA1
a1d4d6c542fdfab4b8f3b4eec566a73631e4bb37
-
SHA256
398ce0b0020618ecf962b83634a7e8f2dcd3d84df8a8947e752a37e26f53b08d
-
SHA512
e934731c40efa489f10540d0ae0b6008636993d6c0b324ccfcf37325c39e752a366aa2b22501b6f451e3dffdd818f79488df0653e34c6193468d064317c13536
-
SSDEEP
49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-