Overview

overview

10

Static

static

1

wlanfixer.bat

windows7-x64

1

wlanfixer.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wlanfixer.bat

  • Size

    3.5MB

  • Sample

    240423-qfg53sgd8y

  • MD5

    45730c9d81cdc2677ea2bd082eb79edb

  • SHA1

    7ece7b975ab6506d83dac94f685e2cedbe56dd6b

  • SHA256

    31f17bf44fd2ce3fb0fde898d5bea0c35d18c82d3e2e9fcdae3cb8cd9f9fffb4

  • SHA512

    d4504b96971c71e38207b56ada95f5e78f8536aaa88a3cbeebaa16627ff548f620672c0d4c61e74707fdc2662ec99584b5dc8d6e3fa1b7056f9595531422b687

  • SSDEEP

    49152:mR8s3zr/pxAN80OHguszxrEC/agxlnUrLvlKNNwI:d

Score
10/10
orcusratspywarestealer

Malware Config

Targets

    • Target

      wlanfixer.bat

    • Size

      3.5MB

    • MD5

      45730c9d81cdc2677ea2bd082eb79edb

    • SHA1

      7ece7b975ab6506d83dac94f685e2cedbe56dd6b

    • SHA256

      31f17bf44fd2ce3fb0fde898d5bea0c35d18c82d3e2e9fcdae3cb8cd9f9fffb4

    • SHA512

      d4504b96971c71e38207b56ada95f5e78f8536aaa88a3cbeebaa16627ff548f620672c0d4c61e74707fdc2662ec99584b5dc8d6e3fa1b7056f9595531422b687

    • SSDEEP

      49152:mR8s3zr/pxAN80OHguszxrEC/agxlnUrLvlKNNwI:d

    Score
    10/10
    orcusratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcurs Rat Executable

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks