General

  • Target

    04edf9a88e1bdb8c38aaede7b19fab8092c4bb5490a30b4393c9019dc61ac52f

  • Size

    5.0MB

  • Sample

    240212-bm61fsgb52

  • MD5

    ba17586b1ed01ca8e65d734060d9ea0e

  • SHA1

    952e46759574e77217410fca0302a37bb76dd509

  • SHA256

    04edf9a88e1bdb8c38aaede7b19fab8092c4bb5490a30b4393c9019dc61ac52f

  • SHA512

    b8a4c103abd7c43807f34d5274bbeeffcfdd8968ddff35c1195cbe19c3831e405e75f0f5ac8c132d6bbef794d45ae3bb6de36fdb1172b199f7424b56bc6e8b34

  • SSDEEP

    24576:4mHR4MROxnFi3EZrrcI0AilFEvxHPnqooo:buMioEZrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

192.168.1.10:10134

Mutex

6ae3b1fbe2324f35ae733bf37bdd3f69

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      04edf9a88e1bdb8c38aaede7b19fab8092c4bb5490a30b4393c9019dc61ac52f

    • Size

      5.0MB

    • MD5

      ba17586b1ed01ca8e65d734060d9ea0e

    • SHA1

      952e46759574e77217410fca0302a37bb76dd509

    • SHA256

      04edf9a88e1bdb8c38aaede7b19fab8092c4bb5490a30b4393c9019dc61ac52f

    • SHA512

      b8a4c103abd7c43807f34d5274bbeeffcfdd8968ddff35c1195cbe19c3831e405e75f0f5ac8c132d6bbef794d45ae3bb6de36fdb1172b199f7424b56bc6e8b34

    • SSDEEP

      24576:4mHR4MROxnFi3EZrrcI0AilFEvxHPnqooo:buMioEZrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks