General

  • Target

    6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5

  • Size

    914KB

  • Sample

    240211-bp56yada47

  • MD5

    e51b12e9e7c6ae07bc88254dff2e4aec

  • SHA1

    f59c3eb0b5b071e5e369d56decceba6b64dd8004

  • SHA256

    6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5

  • SHA512

    3667d834a70289df92e6d566543ab10cafa4a5701578cd8472231bcfd4b7fb1efe98487af236389e24a38ad3ecc6459790c60d188256448071ee387e384a7797

  • SSDEEP

    24576:7cI4MROxnFD3jEsYxrZlI0AilFEvxHigHX:7crMiJWrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

6.tcp.ngrok.io:13146

Mutex

0133d229c4e24006957c0e4ab3a52531

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5

    • Size

      914KB

    • MD5

      e51b12e9e7c6ae07bc88254dff2e4aec

    • SHA1

      f59c3eb0b5b071e5e369d56decceba6b64dd8004

    • SHA256

      6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5

    • SHA512

      3667d834a70289df92e6d566543ab10cafa4a5701578cd8472231bcfd4b7fb1efe98487af236389e24a38ad3ecc6459790c60d188256448071ee387e384a7797

    • SSDEEP

      24576:7cI4MROxnFD3jEsYxrZlI0AilFEvxHigHX:7crMiJWrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks