General

  • Target

    672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c

  • Size

    914KB

  • Sample

    240214-btbg5aeh53

  • MD5

    253480be247da51a81583428a8bc8364

  • SHA1

    0ae21dd5866274ed8a68b2210f2369eec8f4e6cf

  • SHA256

    672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c

  • SHA512

    a302edcd69cd05d8acb9533e7964039d1191d35f3395987b0194d00cac4694eb81050e00d1d000cd69a0c8189654f69833ba63c96b2b59c3da993b1626a1f3f6

  • SSDEEP

    24576:9W64MROxnFD3orXYf1rrcI0AilFEvxHPx2ooX:9KMiJhrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

4.tcp.eu.ngrok.io:14698

Mutex

0133d229c4e24006957c0e4ab3a52531

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\gcc\gcc.exe

  • reconnect_delay

    10000

  • registry_keyname

    System3222

  • taskscheduler_taskname

    System3222

  • watchdog_path

    AppData\Sys322.exe

Targets

    • Target

      672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c

    • Size

      914KB

    • MD5

      253480be247da51a81583428a8bc8364

    • SHA1

      0ae21dd5866274ed8a68b2210f2369eec8f4e6cf

    • SHA256

      672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c

    • SHA512

      a302edcd69cd05d8acb9533e7964039d1191d35f3395987b0194d00cac4694eb81050e00d1d000cd69a0c8189654f69833ba63c96b2b59c3da993b1626a1f3f6

    • SSDEEP

      24576:9W64MROxnFD3orXYf1rrcI0AilFEvxHPx2ooX:9KMiJhrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks