General
-
Target
672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c
-
Size
914KB
-
Sample
240214-btbg5aeh53
-
MD5
253480be247da51a81583428a8bc8364
-
SHA1
0ae21dd5866274ed8a68b2210f2369eec8f4e6cf
-
SHA256
672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c
-
SHA512
a302edcd69cd05d8acb9533e7964039d1191d35f3395987b0194d00cac4694eb81050e00d1d000cd69a0c8189654f69833ba63c96b2b59c3da993b1626a1f3f6
-
SSDEEP
24576:9W64MROxnFD3orXYf1rrcI0AilFEvxHPx2ooX:9KMiJhrrcI0AilFEvxHP
Behavioral task
behavioral1
Sample
672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
orcus
4.tcp.eu.ngrok.io:14698
0133d229c4e24006957c0e4ab3a52531
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\gcc\gcc.exe
-
reconnect_delay
10000
-
registry_keyname
System3222
-
taskscheduler_taskname
System3222
-
watchdog_path
AppData\Sys322.exe
Targets
-
-
Target
672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c
-
Size
914KB
-
MD5
253480be247da51a81583428a8bc8364
-
SHA1
0ae21dd5866274ed8a68b2210f2369eec8f4e6cf
-
SHA256
672e678561dd7edf71770a96ff30d22d232ced57f76d8a6797564732d7528c5c
-
SHA512
a302edcd69cd05d8acb9533e7964039d1191d35f3395987b0194d00cac4694eb81050e00d1d000cd69a0c8189654f69833ba63c96b2b59c3da993b1626a1f3f6
-
SSDEEP
24576:9W64MROxnFD3orXYf1rrcI0AilFEvxHPx2ooX:9KMiJhrrcI0AilFEvxHP
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-