General

  • Target

    tmp

  • Size

    2.6MB

  • Sample

    240411-srhbbshd41

  • MD5

    c36ad641e8a1f1af49f2a6fc8f940c43

  • SHA1

    022d416238a13bcc250dd435080304afd07703b4

  • SHA256

    be0ac6c8a7344a2f3e8f465f14a99e41934457dbf07c18c14f91c8387c8798f1

  • SHA512

    510da9daff480b952b40cde034b7b67171651afdd4b7706a0104a7d0f7b9c46d527811bdf681ca3dbf4a59407081f75ddb9398af40c44f3cfb4351708812c297

  • SSDEEP

    49152:gtTKZKMuX7vnQ27/AypQxbfo9JnCmo+/rDnIgAiEFCvxHIm:g/l7t4ypSbfo9JCm1

Malware Config

Extracted

Family

orcus

C2

94.156.8.26:10134

Mutex

c9103f5f086a4e78af4ff75496cecb4a

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %allusersprofile%\CSP\CSP Loader.exe

  • reconnect_delay

    10000

  • registry_keyname

    CSPAutostart

  • taskscheduler_taskname

    CSPAutostart

  • watchdog_path

    Temp\Failsafe.exe

Targets

    • Target

      tmp

    • Size

      2.6MB

    • MD5

      c36ad641e8a1f1af49f2a6fc8f940c43

    • SHA1

      022d416238a13bcc250dd435080304afd07703b4

    • SHA256

      be0ac6c8a7344a2f3e8f465f14a99e41934457dbf07c18c14f91c8387c8798f1

    • SHA512

      510da9daff480b952b40cde034b7b67171651afdd4b7706a0104a7d0f7b9c46d527811bdf681ca3dbf4a59407081f75ddb9398af40c44f3cfb4351708812c297

    • SSDEEP

      49152:gtTKZKMuX7vnQ27/AypQxbfo9JnCmo+/rDnIgAiEFCvxHIm:g/l7t4ypSbfo9JCm1

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks