General
-
Target
b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96
-
Size
2.6MB
-
Sample
240413-b7zf4saa55
-
MD5
300a4b922efd748c8aff640f6a47da92
-
SHA1
f62795a39447f267885da5a64d256b18543add26
-
SHA256
b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96
-
SHA512
9dd1573309ca14f6c8acf66b3434153d3fa06d0027cedb725aa47e8a0852c0b7ad0c74e8f37f3bcccb6d5d9e65da6a70aa155715d9dde09a49236f1db3f06ae5
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nk:Vh+ZkldoPKiYdKr9y
Static task
static1
Behavioral task
behavioral1
Sample
b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96.exe
Resource
win7-20240221-en
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96
-
Size
2.6MB
-
MD5
300a4b922efd748c8aff640f6a47da92
-
SHA1
f62795a39447f267885da5a64d256b18543add26
-
SHA256
b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96
-
SHA512
9dd1573309ca14f6c8acf66b3434153d3fa06d0027cedb725aa47e8a0852c0b7ad0c74e8f37f3bcccb6d5d9e65da6a70aa155715d9dde09a49236f1db3f06ae5
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nk:Vh+ZkldoPKiYdKr9y
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-