orcus | test[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

test.exe
Size

911KB
MD5

fd9a1a22ef3f9c41f6ff4cd9fa883ecb
SHA1

ea4f09b44b15707304204b639c1ec3c65fca58cb
SHA256

26aa6f3a0c9ed1f38a13ff53f8a743cf573a46103d75ff2dcf9b7e75a3ac235f
SHA512

18a1673b127b8db11979ff9f6c60d5db00d16371814cd76fd1a54d62a2b7179f887587f3891ced70887cbaaeb0c338641fdda91b896d724f44998aaf12b9537f
SSDEEP

24576:w+e4MROxnFl3zzPrrcI0AilFEvxHPbaook:wSMirfrrcI0AilFEvxHP

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

LaraLoveU-49133.portmap.host:49133

Mutex

e51153b173504a70a5faf5caab12f32d

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
test.exe

Files

test.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 906KB - Virtual size: 906KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ