General

  • Target

    6f3954aad101b238afcfe6f77386eda5baf60b732c0bc0cd7c887138731725ed

  • Size

    914KB

  • Sample

    240413-bwnkgahg92

  • MD5

    f10eafb748a1fdf85bf02969f63aaaa7

  • SHA1

    beba8c2489f04ce70d987ebe1ea06d927f2969c0

  • SHA256

    6f3954aad101b238afcfe6f77386eda5baf60b732c0bc0cd7c887138731725ed

  • SHA512

    59818cef311a3c16e323d79c82f3fc072c480ea3c5734aa674b3a9bbeeafe6387c38f13293974e0aaf4fbb5e28f5daa3b11005ecbf757eb7e1896f26ee43ae1b

  • SSDEEP

    24576:Khg4MROxnFR3KTn9rZlI0AilFEvxHizz:KhDMijKrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

Botnet

GameSense

C2

178.20.45.159:7777

Mutex

fc0fdfbbb6484642afe5af9cb815aeb8

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %temp%\Discord\Update.exe

  • reconnect_delay

    10000

  • registry_keyname

    Update

  • taskscheduler_taskname

    Update

  • watchdog_path

    Temp\Update.exe

Targets

    • Target

      6f3954aad101b238afcfe6f77386eda5baf60b732c0bc0cd7c887138731725ed

    • Size

      914KB

    • MD5

      f10eafb748a1fdf85bf02969f63aaaa7

    • SHA1

      beba8c2489f04ce70d987ebe1ea06d927f2969c0

    • SHA256

      6f3954aad101b238afcfe6f77386eda5baf60b732c0bc0cd7c887138731725ed

    • SHA512

      59818cef311a3c16e323d79c82f3fc072c480ea3c5734aa674b3a9bbeeafe6387c38f13293974e0aaf4fbb5e28f5daa3b11005ecbf757eb7e1896f26ee43ae1b

    • SSDEEP

      24576:Khg4MROxnFR3KTn9rZlI0AilFEvxHizz:KhDMijKrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks