General
-
Target
43bb7f5aabd3203c6fa4f65ed37c3d2d4a9ac7138439f1fdebdf3f73c3275456
-
Size
934KB
-
Sample
240423-cpgc9abf4z
-
MD5
b4f9da6bb3d285ca5434e46cdf810f9a
-
SHA1
1ce3fa7613d043cabf11ef720a2eaaf44bec515f
-
SHA256
43bb7f5aabd3203c6fa4f65ed37c3d2d4a9ac7138439f1fdebdf3f73c3275456
-
SHA512
44a91e305230853b20a40af4c3635e1a84b6862759f511be24b9102eb549179bcfd7c5656cfa22e7dd602f8f9ebdf754638c0f2fd1ca99e067841d78ac3abc1e
-
SSDEEP
12288:v0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCcy782OV5ivMprmStz07dG1lFlL:3SO4MROxnFBLrrcI0AilFEvxHjVQ4Z
Malware Config
Extracted
orcus
s7vety-47274.portmap.host:47274
9b66c2abf6a74042aa75c51f01b5b0dc
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%temp%\Windows Updater\updateclient.exe
-
reconnect_delay
10000
-
registry_keyname
WindowsUpdater
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
43bb7f5aabd3203c6fa4f65ed37c3d2d4a9ac7138439f1fdebdf3f73c3275456
-
Size
934KB
-
MD5
b4f9da6bb3d285ca5434e46cdf810f9a
-
SHA1
1ce3fa7613d043cabf11ef720a2eaaf44bec515f
-
SHA256
43bb7f5aabd3203c6fa4f65ed37c3d2d4a9ac7138439f1fdebdf3f73c3275456
-
SHA512
44a91e305230853b20a40af4c3635e1a84b6862759f511be24b9102eb549179bcfd7c5656cfa22e7dd602f8f9ebdf754638c0f2fd1ca99e067841d78ac3abc1e
-
SSDEEP
12288:v0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCcy782OV5ivMprmStz07dG1lFlL:3SO4MROxnFBLrrcI0AilFEvxHjVQ4Z
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-