General
-
Target
6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
-
Size
914KB
-
Sample
240211-bp56yada47
-
MD5
e51b12e9e7c6ae07bc88254dff2e4aec
-
SHA1
f59c3eb0b5b071e5e369d56decceba6b64dd8004
-
SHA256
6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
-
SHA512
3667d834a70289df92e6d566543ab10cafa4a5701578cd8472231bcfd4b7fb1efe98487af236389e24a38ad3ecc6459790c60d188256448071ee387e384a7797
-
SSDEEP
24576:7cI4MROxnFD3jEsYxrZlI0AilFEvxHigHX:7crMiJWrZlI0AilFEvxHi
Behavioral task
behavioral1
Sample
6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
orcus
6.tcp.ngrok.io:13146
0133d229c4e24006957c0e4ab3a52531
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
-
Size
914KB
-
MD5
e51b12e9e7c6ae07bc88254dff2e4aec
-
SHA1
f59c3eb0b5b071e5e369d56decceba6b64dd8004
-
SHA256
6020f59c8bd68cb34326e8eae51cdfc70a487aae5b0bebf3fe6100335d130ed5
-
SHA512
3667d834a70289df92e6d566543ab10cafa4a5701578cd8472231bcfd4b7fb1efe98487af236389e24a38ad3ecc6459790c60d188256448071ee387e384a7797
-
SSDEEP
24576:7cI4MROxnFD3jEsYxrZlI0AilFEvxHigHX:7crMiJWrZlI0AilFEvxHi
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-