Overview

overview

10

Static

static

10

48db6e9d87...9d.exe

windows7-x64

10

48db6e9d87...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe

  • Size

    910KB

  • MD5

    0dc0ab0af7887016e40a9fb1cb8de85e

  • SHA1

    3a6e9c43ec94b4609d825e38a97eb4e76be493ba

  • SHA256

    48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d

  • SHA512

    089164fb39657a62a6bda638cd5b06b32227e6a4c91e034ec1febc1434525db1afe96b81738d02c55e99a6e3760605190388038bf77cee4f675ff2bf107af399

  • SSDEEP

    12288:T0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCg+34ai5V2Xopqi1n07dG1lFlWl:/2C4MROxnFRC8rrcI0AilFEvxHjoQS

Score
10/10
orcusligeonratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe
    "C:\Users\Admin\AppData\Local\Temp\48db6e9d87ebb481de65aa9fe318139644642b429e7701287c1c136fa96b529d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1188
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2208 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:624

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1188-0-0x0000000000490000-0x000000000057A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/1188-1-0x000000001B1C0000-0x000000001B21C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/1188-2-0x0000000000E20000-0x0000000000E2E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1188-3-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1188-4-0x0000000000E50000-0x0000000000E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1188-5-0x0000000000E70000-0x0000000000E82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1188-6-0x0000000000E60000-0x0000000000E68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1188-7-0x0000000000EA0000-0x0000000000EB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1188-8-0x000000001CA20000-0x000000001CBE2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1188-9-0x000000001B230000-0x000000001B240000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1188-10-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1188-11-0x0000000000E50000-0x0000000000E60000-memory.dmp

      Filesize

      64KB

      Download