General
-
Target
9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
-
Size
914KB
-
Sample
240423-bxwbpsbb2s
-
MD5
382b5ec3d08f531a34b67c3d37851f93
-
SHA1
18fcf2c3f7756b5cc9f43ff41dde700c5326c2a8
-
SHA256
9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
-
SHA512
e4b89d38ea971d666c95297872363d855500e1c553bbceb83768137b3b50243423f50b563aefb0c3b18200ffcf3d283e6b2568dcbe68300ffabb78fa8e0a0ce6
-
SSDEEP
24576:P6A4MROxnFR3aTnXrZlI0AilFEvxHiXv:P6jMijkrZlI0AilFEvxHi
Malware Config
Extracted
orcus
178.20.45.159:7777
0987a51eb44e4803863e149ff474a3f6
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%appdata%\Discord\Telegram.exe
-
reconnect_delay
10000
-
registry_keyname
tg
-
taskscheduler_taskname
tg
-
watchdog_path
Temp\Telegram.exe
Targets
-
-
Target
9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
-
Size
914KB
-
MD5
382b5ec3d08f531a34b67c3d37851f93
-
SHA1
18fcf2c3f7756b5cc9f43ff41dde700c5326c2a8
-
SHA256
9963f8b42627725045115b76ed179f43468d4dfbfb26837e114fcdcd59e7d336
-
SHA512
e4b89d38ea971d666c95297872363d855500e1c553bbceb83768137b3b50243423f50b563aefb0c3b18200ffcf3d283e6b2568dcbe68300ffabb78fa8e0a0ce6
-
SSDEEP
24576:P6A4MROxnFR3aTnXrZlI0AilFEvxHiXv:P6jMijkrZlI0AilFEvxHi
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-