General
-
Target
fa3ccfda940ecb06e5d0f36e3ac64493daf494544acd02e45f69efaaa9628ba0
-
Size
2.6MB
-
Sample
240419-b49gxadb65
-
MD5
519453e32f08c0aa895022a20a6fdcc8
-
SHA1
a30abbed1386d9a5576e20aabc9e704930bb74b9
-
SHA256
fa3ccfda940ecb06e5d0f36e3ac64493daf494544acd02e45f69efaaa9628ba0
-
SHA512
8226d76c6eb75ee363b714cd6adec3d1efa93a62b506515698199c3682ae4f6d7b59614ab8bde95f5f2c4861fc205ee91cca37dd99fab430e0e9a865bfa3336f
-
SSDEEP
24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxa:Hh+ZkldoPKiYdqd6S
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
fa3ccfda940ecb06e5d0f36e3ac64493daf494544acd02e45f69efaaa9628ba0
-
Size
2.6MB
-
MD5
519453e32f08c0aa895022a20a6fdcc8
-
SHA1
a30abbed1386d9a5576e20aabc9e704930bb74b9
-
SHA256
fa3ccfda940ecb06e5d0f36e3ac64493daf494544acd02e45f69efaaa9628ba0
-
SHA512
8226d76c6eb75ee363b714cd6adec3d1efa93a62b506515698199c3682ae4f6d7b59614ab8bde95f5f2c4861fc205ee91cca37dd99fab430e0e9a865bfa3336f
-
SSDEEP
24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxa:Hh+ZkldoPKiYdqd6S
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-