General

  • Target

    793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700

  • Size

    5.0MB

  • Sample

    240212-bda7esea5z

  • MD5

    3e04fd7395a78346599158a287111839

  • SHA1

    f54df6a85e09c59b55232918a096d64613caf050

  • SHA256

    793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700

  • SHA512

    f5c3fa6d88932778da994653ee1f2d1bc57f3dfb9dfd9ca8205cae1507015c02e0205ca200c7c4a30c5e2c1b2fb108e096022e028218290495f16508afafd35a

  • SSDEEP

    24576:EUA4MROxnFE3cdc1RGrZlI0AilFEvxHir3:EUjMiu/bGrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

192.168.0.200:10134

Mutex

afa5401f54984aaa863b79961927d3dd

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    GitHub

  • watchdog_path

    Temp\nurik.exe

Targets

    • Target

      793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700

    • Size

      5.0MB

    • MD5

      3e04fd7395a78346599158a287111839

    • SHA1

      f54df6a85e09c59b55232918a096d64613caf050

    • SHA256

      793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700

    • SHA512

      f5c3fa6d88932778da994653ee1f2d1bc57f3dfb9dfd9ca8205cae1507015c02e0205ca200c7c4a30c5e2c1b2fb108e096022e028218290495f16508afafd35a

    • SSDEEP

      24576:EUA4MROxnFE3cdc1RGrZlI0AilFEvxHir3:EUjMiu/bGrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks