General
-
Target
4d37adf0c3bdb82bca83335523ff532318e6b99a3c6feabbdd117bcf41d23b79
-
Size
3.0MB
-
Sample
240428-bf3dpach4x
-
MD5
a799040cfc26714b653950f418cc3359
-
SHA1
3c944bf11d495c0cd7bee4e8dbc9515bea44b94c
-
SHA256
4d37adf0c3bdb82bca83335523ff532318e6b99a3c6feabbdd117bcf41d23b79
-
SHA512
591c5537397a2f8e93cd16911ef94fd7adaf682851f1d21dc8e39d7b43dbdf661ed0c441fd11ec620d55dff4dcdf9c110d3c162b4f0cee080a3f7178122a50c6
-
SSDEEP
49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qb:CsHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
voznya
31.44.184.52:29613
sudo_bk0dxk6ankr3vxmczlddfhmsclecfrf2
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
C:\a\generatorhttp\wpuniversal.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Targets
-
-
Target
4d37adf0c3bdb82bca83335523ff532318e6b99a3c6feabbdd117bcf41d23b79
-
Size
3.0MB
-
MD5
a799040cfc26714b653950f418cc3359
-
SHA1
3c944bf11d495c0cd7bee4e8dbc9515bea44b94c
-
SHA256
4d37adf0c3bdb82bca83335523ff532318e6b99a3c6feabbdd117bcf41d23b79
-
SHA512
591c5537397a2f8e93cd16911ef94fd7adaf682851f1d21dc8e39d7b43dbdf661ed0c441fd11ec620d55dff4dcdf9c110d3c162b4f0cee080a3f7178122a50c6
-
SSDEEP
49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qb:CsHTPJg8z1mKnypSbRxo9JCm
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-