General

  • Target

    aeas.exe

  • Size

    918KB

  • Sample

    240413-kwfz3ace53

  • MD5

    da4e713ae910ed87d01aee5ba13baca0

  • SHA1

    6c7da14a0cb3cbfa3f8099e48af9ec0a4b1e23b3

  • SHA256

    54a9de19f630c92a3c6cb9f0ccce3e916a600232fc68429678bbf70d043fb77d

  • SHA512

    690e6e7218fa4a6506a0428cc9159bf353762a1a47b5874b9dd07a6c7928f4d71b6b2b8fb189e98445a18b014a6f324f964a6999a1c0c6c46dc26b343a898cab

  • SSDEEP

    12288:30XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCg+34ai5V2Xopqi1n07dG1lFlWR:D2C4MROxnF96rrcI0AilFEvxHjzHQu

Malware Config

Extracted

Family

orcus

C2

s7vety-47274.portmap.host:47274

Mutex

dd6ac135bc344ba3be035bc19a9835dc

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %temp%\Windows Updater\updateclient.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      aeas.exe

    • Size

      918KB

    • MD5

      da4e713ae910ed87d01aee5ba13baca0

    • SHA1

      6c7da14a0cb3cbfa3f8099e48af9ec0a4b1e23b3

    • SHA256

      54a9de19f630c92a3c6cb9f0ccce3e916a600232fc68429678bbf70d043fb77d

    • SHA512

      690e6e7218fa4a6506a0428cc9159bf353762a1a47b5874b9dd07a6c7928f4d71b6b2b8fb189e98445a18b014a6f324f964a6999a1c0c6c46dc26b343a898cab

    • SSDEEP

      12288:30XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCg+34ai5V2Xopqi1n07dG1lFlWR:D2C4MROxnF96rrcI0AilFEvxHjzHQu

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks