Overview

overview

10

Static

static

10

b380702b2e...2e.exe

windows7-x64

10

b380702b2e...2e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b380702b2efcf3f396879bf8a26a26c49bcaff0653feaf00cd3906e49aeeb02e

  • Size

    944KB

  • Sample

    240523-b7beaahb9w

  • MD5

    5b2b363429b9a05c302a472918f7a11c

  • SHA1

    487eb2ba20779fe2b80932c2c1f0192a2643a17e

  • SHA256

    b380702b2efcf3f396879bf8a26a26c49bcaff0653feaf00cd3906e49aeeb02e

  • SHA512

    3868dc59c0a8cac98d0f9f075ff6d0d457fde42f9aa50c7fead2fadf4c83fdfac9da70883354dee3039f0f64c392c2d5cb107d4bc809d59cb4bd81d9bf330976

  • SSDEEP

    24576:jGRs4MROxnFi36sVrrcI0AilFEvxHPYooh:jM/Mio7VrrcI0AilFEvxHP

Score
10/10
orcustanin komppersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Tanin Komp

C2

192.168.200.18:10134

Mutex

e8facf65797c47f380e8502c73b84cf9

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    <inecraft server administration tools

  • watchdog_path

    Temp\Minecraft server tools tasker.exe

Targets

    • Target

      b380702b2efcf3f396879bf8a26a26c49bcaff0653feaf00cd3906e49aeeb02e

    • Size

      944KB

    • MD5

      5b2b363429b9a05c302a472918f7a11c

    • SHA1

      487eb2ba20779fe2b80932c2c1f0192a2643a17e

    • SHA256

      b380702b2efcf3f396879bf8a26a26c49bcaff0653feaf00cd3906e49aeeb02e

    • SHA512

      3868dc59c0a8cac98d0f9f075ff6d0d457fde42f9aa50c7fead2fadf4c83fdfac9da70883354dee3039f0f64c392c2d5cb107d4bc809d59cb4bd81d9bf330976

    • SSDEEP

      24576:jGRs4MROxnFi36sVrrcI0AilFEvxHPYooh:jM/Mio7VrrcI0AilFEvxHP

    Score
    10/10
    orcustanin komppersistenceratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks