General
-
Target
0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc
-
Size
3.0MB
-
Sample
240512-bs6lwach23
-
MD5
56c65d591a8774932454d819af7d199b
-
SHA1
6368acc0182b686bfef8f4d8c63d84c1ad191235
-
SHA256
0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc
-
SHA512
cd584661f78601979267120e3f702beff8259947886f11045695de48a1c3c7731d131d6f800a1193f10783a65d596cb279b970ada242833bbeb1917949444a0a
-
SSDEEP
49152:gYwN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmCWncFf0I74gu39Ms:g/0wGGzBjryX82uypSb9ndo9JCmV
Malware Config
Extracted
orcus
192.168.100.3:4444
385cbca3ba9444dc92ca47ce9ac1e3d9
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
C:\Windows\System32\edge.exe
-
reconnect_delay
10000
-
registry_keyname
Defender
-
taskscheduler_taskname
system
-
watchdog_path
Temp\msedge.exe
Targets
-
-
Target
0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc
-
Size
3.0MB
-
MD5
56c65d591a8774932454d819af7d199b
-
SHA1
6368acc0182b686bfef8f4d8c63d84c1ad191235
-
SHA256
0b3c49d48cbceb344579689d8755d3a9797a316d845150f0bab17a686e78cfdc
-
SHA512
cd584661f78601979267120e3f702beff8259947886f11045695de48a1c3c7731d131d6f800a1193f10783a65d596cb279b970ada242833bbeb1917949444a0a
-
SSDEEP
49152:gYwN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmCWncFf0I74gu39Ms:g/0wGGzBjryX82uypSb9ndo9JCmV
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-