General

  • Target

    a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0

  • Size

    1.1MB

  • Sample

    240212-bf3pfsfh64

  • MD5

    6eb2f8547792eddb8370fad585a891d2

  • SHA1

    a629a13596e00876b867a0a58254fa50a5e34922

  • SHA256

    a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0

  • SHA512

    632c2a56ef6b8d741d589b0231d834f445f301c66bbb243690a06b7df629408f908075f6972e971c7b798595d522f1892886a6f7c201e9892e7fbe38414a1344

  • SSDEEP

    24576:sUA4MROxnFw5bHKTlQ5rZlI0AilFEvxHiKV:sUjMiG5rZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

26.65.233.242:10135

Mutex

436815d745b549a18fadaea7c4bea111

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0

    • Size

      1.1MB

    • MD5

      6eb2f8547792eddb8370fad585a891d2

    • SHA1

      a629a13596e00876b867a0a58254fa50a5e34922

    • SHA256

      a35553e5dc9c348ebca6b2553055f0d291697f8fd7d4706f2fd0d04fc10c06c0

    • SHA512

      632c2a56ef6b8d741d589b0231d834f445f301c66bbb243690a06b7df629408f908075f6972e971c7b798595d522f1892886a6f7c201e9892e7fbe38414a1344

    • SSDEEP

      24576:sUA4MROxnFw5bHKTlQ5rZlI0AilFEvxHiKV:sUjMiG5rZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks