General
-
Target
tmp
-
Size
2.6MB
-
Sample
240411-srhbbshd41
-
MD5
c36ad641e8a1f1af49f2a6fc8f940c43
-
SHA1
022d416238a13bcc250dd435080304afd07703b4
-
SHA256
be0ac6c8a7344a2f3e8f465f14a99e41934457dbf07c18c14f91c8387c8798f1
-
SHA512
510da9daff480b952b40cde034b7b67171651afdd4b7706a0104a7d0f7b9c46d527811bdf681ca3dbf4a59407081f75ddb9398af40c44f3cfb4351708812c297
-
SSDEEP
49152:gtTKZKMuX7vnQ27/AypQxbfo9JnCmo+/rDnIgAiEFCvxHIm:g/l7t4ypSbfo9JCm1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
orcus
94.156.8.26:10134
c9103f5f086a4e78af4ff75496cecb4a
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%allusersprofile%\CSP\CSP Loader.exe
-
reconnect_delay
10000
-
registry_keyname
CSPAutostart
-
taskscheduler_taskname
CSPAutostart
-
watchdog_path
Temp\Failsafe.exe
Targets
-
-
Target
tmp
-
Size
2.6MB
-
MD5
c36ad641e8a1f1af49f2a6fc8f940c43
-
SHA1
022d416238a13bcc250dd435080304afd07703b4
-
SHA256
be0ac6c8a7344a2f3e8f465f14a99e41934457dbf07c18c14f91c8387c8798f1
-
SHA512
510da9daff480b952b40cde034b7b67171651afdd4b7706a0104a7d0f7b9c46d527811bdf681ca3dbf4a59407081f75ddb9398af40c44f3cfb4351708812c297
-
SSDEEP
49152:gtTKZKMuX7vnQ27/AypQxbfo9JnCmo+/rDnIgAiEFCvxHIm:g/l7t4ypSbfo9JCm1
Score10/10-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-