General
-
Target
d5c7ca634e831f4c0471cee5f2730a899b43d5486263f0de4b3883eaca2c3a61
-
Size
2.6MB
-
Sample
240425-d2ynqsee34
-
MD5
8b1f5d1ae0a540c81c70105a41c8626c
-
SHA1
168664b8419fdd5a654e41bcbe0cbfe196be7c41
-
SHA256
d5c7ca634e831f4c0471cee5f2730a899b43d5486263f0de4b3883eaca2c3a61
-
SHA512
d88f2620b0b50af97a57711b59df6a7a343cbc5b3af04552641ec8b942bf8c770bc9b07baeac07d9461fe863d4e62497b627f93a17212e1c188d4e32374ce119
-
SSDEEP
24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxI:Hh+ZkldoPKiYdqd6A
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
d5c7ca634e831f4c0471cee5f2730a899b43d5486263f0de4b3883eaca2c3a61
-
Size
2.6MB
-
MD5
8b1f5d1ae0a540c81c70105a41c8626c
-
SHA1
168664b8419fdd5a654e41bcbe0cbfe196be7c41
-
SHA256
d5c7ca634e831f4c0471cee5f2730a899b43d5486263f0de4b3883eaca2c3a61
-
SHA512
d88f2620b0b50af97a57711b59df6a7a343cbc5b3af04552641ec8b942bf8c770bc9b07baeac07d9461fe863d4e62497b627f93a17212e1c188d4e32374ce119
-
SSDEEP
24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxI:Hh+ZkldoPKiYdqd6A
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-