General

  • Target

    svchost.zip

  • Size

    603KB

  • Sample

    240612-sah7asshkq

  • MD5

    c420f16f72eb6b02e478c150bd8d1b0f

  • SHA1

    11131a558cb2741678e1714ed31da9c056b87d45

  • SHA256

    866ba410a22bf3c20b1b2dd45dd998bc5d8c0df40a01b6eda76f79408b0b559e

  • SHA512

    ad862ce0ca9939283a26e0586cb9cf2658c64e4f935fdbacec6b02ceec7448cab453105d091e140f278127566b1614cfe648272dfd66380338f4451438500f71

  • SSDEEP

    12288:tzDma+dG6K3lPYT70IKYr2nfaaqaYHLVaguJE4zKnI:t2a222H2fjYHRaguJEcKI

Malware Config

Extracted

Family

orcus

C2

195.88.218.203:2404

Mutex

096ac5ab5bb94a738ad20ab436aa477a

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\svchost\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\svchost.exe

Targets

    • Target

      svchost.exe

    • Size

      926KB

    • MD5

      6f71338b620dae2eb5f00a1c0820e42b

    • SHA1

      370a336000a94cbe9a5d6d05a391104a0802fbc5

    • SHA256

      3dc90286ad0fb1b325798757f746460a81e6b326dbb63a907ead343a4ab47fcb

    • SHA512

      40b8c5af3fc7a8a41b22a8f373b8b38a6b870df1e519150d24744a747b0efeedc2fad18418af84d12c25cd84d92bfa5fe7e517bf9d2da2fec6b6677be39376de

    • SSDEEP

      24576:VIY4MROxnFE38O3IrrcI0AilFEvxHPRoox:VaMiuZIrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks