Overview

overview

10

Static

static

5

549d6e9411...bc.exe

windows7-x64

10

549d6e9411...bc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    549d6e941121e13094a53f3362b1c30e2a7c8315b1a8cca61df6468ba3f249bc

  • Size

    2.6MB

  • Sample

    240424-br1z1adf49

  • MD5

    2dea5768b5866bcee84000cd7c64ddb6

  • SHA1

    d4d9d7ece1dec5575c29abe088d2d36c24b31eee

  • SHA256

    549d6e941121e13094a53f3362b1c30e2a7c8315b1a8cca61df6468ba3f249bc

  • SHA512

    c377209add6d5a8a142448db8bccd44217be6f0d7fba340a4fddf7cce6c629ce789aea40d750d20a47fd9cc5afea401d4d3845c67e1c52f3f6256fd002fde9d5

  • SSDEEP

    24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/NX:Vh+ZkldoPKiYdKr9J

Score
10/10
orcusligeonratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      549d6e941121e13094a53f3362b1c30e2a7c8315b1a8cca61df6468ba3f249bc

    • Size

      2.6MB

    • MD5

      2dea5768b5866bcee84000cd7c64ddb6

    • SHA1

      d4d9d7ece1dec5575c29abe088d2d36c24b31eee

    • SHA256

      549d6e941121e13094a53f3362b1c30e2a7c8315b1a8cca61df6468ba3f249bc

    • SHA512

      c377209add6d5a8a142448db8bccd44217be6f0d7fba340a4fddf7cce6c629ce789aea40d750d20a47fd9cc5afea401d4d3845c67e1c52f3f6256fd002fde9d5

    • SSDEEP

      24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/NX:Vh+ZkldoPKiYdKr9J

    Score
    10/10
    orcusligeonratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks