General
-
Target
044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e
-
Size
2.6MB
-
Sample
240408-blmv7acd52
-
MD5
77814228b0b01efafe016f362b212577
-
SHA1
2c5344b7e08ec6cac7a2f9b8668853cc373fd44b
-
SHA256
044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e
-
SHA512
4ac308b583decd0c04dff4d47cc336f7de295abe49ed87b12964d5781f2d7e96503ca38b186d7a4a78c1e59c10bb9d534509dbac9f06af3020ef0e65b0dd48ed
-
SSDEEP
24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxh:Hh+ZkldoPKiYdqd6p
Static task
static1
Behavioral task
behavioral1
Sample
044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e.exe
Resource
win7-20240221-en
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e
-
Size
2.6MB
-
MD5
77814228b0b01efafe016f362b212577
-
SHA1
2c5344b7e08ec6cac7a2f9b8668853cc373fd44b
-
SHA256
044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e
-
SHA512
4ac308b583decd0c04dff4d47cc336f7de295abe49ed87b12964d5781f2d7e96503ca38b186d7a4a78c1e59c10bb9d534509dbac9f06af3020ef0e65b0dd48ed
-
SSDEEP
24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxh:Hh+ZkldoPKiYdqd6p
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-