Behavioral task
behavioral1
Sample
0a31207bfadcc400e5518e1f5a9e325d40d0a9d333092955bc60ea3afd5335e0.exe
Resource
win7-20240508-en
General
-
Target
0a31207bfadcc400e5518e1f5a9e325d40d0a9d333092955bc60ea3afd5335e0
-
Size
924KB
-
MD5
ad21426988b87f74a75b5e56ccc7f7e4
-
SHA1
cb24043d79f8f949131e5c30cc58cc9522f5eebd
-
SHA256
0a31207bfadcc400e5518e1f5a9e325d40d0a9d333092955bc60ea3afd5335e0
-
SHA512
fb9ea236a468aedd8227869244863f2217832c5c6ddbff813b7186ec4e110e8f8a9d0de68255fa801c2eec578d9909ddfde92db5b908d60a4fe7ab2a867e87f8
-
SSDEEP
24576:VCC4MROxnFE3bO3FrrcI0AilFEvxHPBoow:VKMiuoFrrcI0AilFEvxHP
Malware Config
Extracted
orcus
ало
192.168.56.1:6689
b8367b9fc38d44f8a8506ed1ba348efe
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule sample orcus -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule sample family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 0a31207bfadcc400e5518e1f5a9e325d40d0a9d333092955bc60ea3afd5335e0
Files
-
0a31207bfadcc400e5518e1f5a9e325d40d0a9d333092955bc60ea3afd5335e0.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 921KB - Virtual size: 920KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ