General
-
Target
b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc
-
Size
2.6MB
-
Sample
240413-b8fqdsch7y
-
MD5
0841f38ab78c42955b1bbc3b0e6361c5
-
SHA1
1ead5a5ed456fd748ed0a790f518f644307acb5d
-
SHA256
b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc
-
SHA512
92d06408ece636b94e6ac038dc9afc9731d5919e835d02608a3df25d2bbeeed71ab3f5d4f589ee37011f04098f3178e11fde05b64c59e7c30ee3c63218a2e0e5
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nx:Vh+ZkldoPKiYdKr9/
Static task
static1
Behavioral task
behavioral1
Sample
b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc.exe
Resource
win7-20240221-en
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc
-
Size
2.6MB
-
MD5
0841f38ab78c42955b1bbc3b0e6361c5
-
SHA1
1ead5a5ed456fd748ed0a790f518f644307acb5d
-
SHA256
b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc
-
SHA512
92d06408ece636b94e6ac038dc9afc9731d5919e835d02608a3df25d2bbeeed71ab3f5d4f589ee37011f04098f3178e11fde05b64c59e7c30ee3c63218a2e0e5
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nx:Vh+ZkldoPKiYdKr9/
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-