General

  • Target

    b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96

  • Size

    2.6MB

  • Sample

    240413-b7zf4saa55

  • MD5

    300a4b922efd748c8aff640f6a47da92

  • SHA1

    f62795a39447f267885da5a64d256b18543add26

  • SHA256

    b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96

  • SHA512

    9dd1573309ca14f6c8acf66b3434153d3fa06d0027cedb725aa47e8a0852c0b7ad0c74e8f37f3bcccb6d5d9e65da6a70aa155715d9dde09a49236f1db3f06ae5

  • SSDEEP

    24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nk:Vh+ZkldoPKiYdKr9y

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96

    • Size

      2.6MB

    • MD5

      300a4b922efd748c8aff640f6a47da92

    • SHA1

      f62795a39447f267885da5a64d256b18543add26

    • SHA256

      b5740e9632472ae8251a93cb3fc3a98ec82c30fb2833a76d7c9968b9ba531c96

    • SHA512

      9dd1573309ca14f6c8acf66b3434153d3fa06d0027cedb725aa47e8a0852c0b7ad0c74e8f37f3bcccb6d5d9e65da6a70aa155715d9dde09a49236f1db3f06ae5

    • SSDEEP

      24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nk:Vh+ZkldoPKiYdKr9y

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks