General

  • Target

    e58c968911b7cb21b817e96a3d8bbc53972c6bf08d5d688314aa0abf8ce1dcff

  • Size

    2.9MB

  • Sample

    240213-cnqkjahd3y

  • MD5

    a66b5e87f6841b747c1dcaab076998ff

  • SHA1

    8e6cbfb9eb6c9be259c5ecf5d33b5fa991fbf06c

  • SHA256

    e58c968911b7cb21b817e96a3d8bbc53972c6bf08d5d688314aa0abf8ce1dcff

  • SHA512

    c6eb8beeefaefb05bcf53dd2363a8368d9a405687db755641d5ca30048c2e721b532764e11e1ef7f2e2fb194ba5c274f00ae2c773b58297463b7289fe0aa7edc

  • SSDEEP

    49152:H02N8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCm+WncFf0I74gu3SM:Hd0wGGzBjryX82uypSb9ndo9JCm

Malware Config

Extracted

Family

orcus

C2

192.168.1.111:10134

Mutex

24b16d1a9eb04e898b76f459161f7a15

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      e58c968911b7cb21b817e96a3d8bbc53972c6bf08d5d688314aa0abf8ce1dcff

    • Size

      2.9MB

    • MD5

      a66b5e87f6841b747c1dcaab076998ff

    • SHA1

      8e6cbfb9eb6c9be259c5ecf5d33b5fa991fbf06c

    • SHA256

      e58c968911b7cb21b817e96a3d8bbc53972c6bf08d5d688314aa0abf8ce1dcff

    • SHA512

      c6eb8beeefaefb05bcf53dd2363a8368d9a405687db755641d5ca30048c2e721b532764e11e1ef7f2e2fb194ba5c274f00ae2c773b58297463b7289fe0aa7edc

    • SSDEEP

      49152:H02N8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCm+WncFf0I74gu3SM:Hd0wGGzBjryX82uypSb9ndo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks