General

  • Target

    1bc223aed315349c64f11e2c1b82c51ac13b270919a48bf8e799ae1bd45b17cc

  • Size

    1.1MB

  • Sample

    240610-bfwwxaae32

  • MD5

    b03ab8a74cf59fc472a4789bf8140c7f

  • SHA1

    90ca9a977bd349a589c539511b5ccfe2387169c0

  • SHA256

    1bc223aed315349c64f11e2c1b82c51ac13b270919a48bf8e799ae1bd45b17cc

  • SHA512

    d2d3e0b5e7a6f7358ace03d2ede2535ad5e5c7b68f8ce6a0112a0a2715850146f5d724f0f3824653724831bcb3c45587b6c79ad7765011cdefc85cdb0e55d321

  • SSDEEP

    24576:91j4MROxnFE3FO3FrrcI0AilFEvxHPgWooLtW6pXcWSE+:9iMiuKFrrcI0AilFEvxHPg96VcWS

Malware Config

Extracted

Family

orcus

Botnet

In Silence

C2

192.168.1.69:10134

Mutex

a7fb4837861d40698b4e9e27bd20daa7

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    In Silence

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      1bc223aed315349c64f11e2c1b82c51ac13b270919a48bf8e799ae1bd45b17cc

    • Size

      1.1MB

    • MD5

      b03ab8a74cf59fc472a4789bf8140c7f

    • SHA1

      90ca9a977bd349a589c539511b5ccfe2387169c0

    • SHA256

      1bc223aed315349c64f11e2c1b82c51ac13b270919a48bf8e799ae1bd45b17cc

    • SHA512

      d2d3e0b5e7a6f7358ace03d2ede2535ad5e5c7b68f8ce6a0112a0a2715850146f5d724f0f3824653724831bcb3c45587b6c79ad7765011cdefc85cdb0e55d321

    • SSDEEP

      24576:91j4MROxnFE3FO3FrrcI0AilFEvxHPgWooLtW6pXcWSE+:9iMiuKFrrcI0AilFEvxHPg96VcWS

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks