orcus | d54e05797a6c45d4a9838f2ecac7668bbd5611af35c38e4292f9f6d80453d525 | Triage

Sharing

General

Target

d54e05797a6c45d4a9838f2ecac7668bbd5611af35c38e4292f9f6d80453d525
Size

3.0MB
MD5

653fe71d5cb7718c6c1425f268909d8d
SHA1

bb3f51568d110ccd4c97cd798da395b4784df126
SHA256

d54e05797a6c45d4a9838f2ecac7668bbd5611af35c38e4292f9f6d80453d525
SHA512

6094105be174ff224432c1e7ab3aa425a73259b9f3047f62cb8736815fbfea4272c620bbdafe32ee136bbf8b29b4a185266c500949b72de69658efc5d0ac3937
SSDEEP

49152:QNmZcFSZeM9/4/OwVkFG6X4pyzv1IgczE6SAypQxbPQo9JnCm0WncFf0I74gu3nM:QIiTJ/BVkzOyzdCznypSb4o9JCm

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

172.30.1.44:10134

Mutex

9484b93f477c433c96dd84d473fcd2e5

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d54e05797a6c45d4a9838f2ecac7668bbd5611af35c38e4292f9f6d80453d525

Files

d54e05797a6c45d4a9838f2ecac7668bbd5611af35c38e4292f9f6d80453d525
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ