General

  • Target

    044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e

  • Size

    2.6MB

  • Sample

    240408-blmv7acd52

  • MD5

    77814228b0b01efafe016f362b212577

  • SHA1

    2c5344b7e08ec6cac7a2f9b8668853cc373fd44b

  • SHA256

    044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e

  • SHA512

    4ac308b583decd0c04dff4d47cc336f7de295abe49ed87b12964d5781f2d7e96503ca38b186d7a4a78c1e59c10bb9d534509dbac9f06af3020ef0e65b0dd48ed

  • SSDEEP

    24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxh:Hh+ZkldoPKiYdqd6p

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e

    • Size

      2.6MB

    • MD5

      77814228b0b01efafe016f362b212577

    • SHA1

      2c5344b7e08ec6cac7a2f9b8668853cc373fd44b

    • SHA256

      044cf9d12eb9c02724075b99f72e4bc93684472085289b6a78263f6c47a1e39e

    • SHA512

      4ac308b583decd0c04dff4d47cc336f7de295abe49ed87b12964d5781f2d7e96503ca38b186d7a4a78c1e59c10bb9d534509dbac9f06af3020ef0e65b0dd48ed

    • SSDEEP

      24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxh:Hh+ZkldoPKiYdqd6p

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks