General

  • Target

    b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc

  • Size

    2.6MB

  • Sample

    240413-b8fqdsch7y

  • MD5

    0841f38ab78c42955b1bbc3b0e6361c5

  • SHA1

    1ead5a5ed456fd748ed0a790f518f644307acb5d

  • SHA256

    b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc

  • SHA512

    92d06408ece636b94e6ac038dc9afc9731d5919e835d02608a3df25d2bbeeed71ab3f5d4f589ee37011f04098f3178e11fde05b64c59e7c30ee3c63218a2e0e5

  • SSDEEP

    24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nx:Vh+ZkldoPKiYdKr9/

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc

    • Size

      2.6MB

    • MD5

      0841f38ab78c42955b1bbc3b0e6361c5

    • SHA1

      1ead5a5ed456fd748ed0a790f518f644307acb5d

    • SHA256

      b6fda04ddc8a4b3cd01f5ae4592b9228780d58e4480323cfbf8057396ceed7fc

    • SHA512

      92d06408ece636b94e6ac038dc9afc9731d5919e835d02608a3df25d2bbeeed71ab3f5d4f589ee37011f04098f3178e11fde05b64c59e7c30ee3c63218a2e0e5

    • SSDEEP

      24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nx:Vh+ZkldoPKiYdKr9/

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks