General
-
Target
svchost.zip
-
Size
603KB
-
Sample
240612-sah7asshkq
-
MD5
c420f16f72eb6b02e478c150bd8d1b0f
-
SHA1
11131a558cb2741678e1714ed31da9c056b87d45
-
SHA256
866ba410a22bf3c20b1b2dd45dd998bc5d8c0df40a01b6eda76f79408b0b559e
-
SHA512
ad862ce0ca9939283a26e0586cb9cf2658c64e4f935fdbacec6b02ceec7448cab453105d091e140f278127566b1614cfe648272dfd66380338f4451438500f71
-
SSDEEP
12288:tzDma+dG6K3lPYT70IKYr2nfaaqaYHLVaguJE4zKnI:t2a222H2fjYHRaguJEcKI
Malware Config
Extracted
orcus
195.88.218.203:2404
096ac5ab5bb94a738ad20ab436aa477a
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\svchost\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\svchost.exe
Targets
-
-
Target
svchost.exe
-
Size
926KB
-
MD5
6f71338b620dae2eb5f00a1c0820e42b
-
SHA1
370a336000a94cbe9a5d6d05a391104a0802fbc5
-
SHA256
3dc90286ad0fb1b325798757f746460a81e6b326dbb63a907ead343a4ab47fcb
-
SHA512
40b8c5af3fc7a8a41b22a8f373b8b38a6b870df1e519150d24744a747b0efeedc2fad18418af84d12c25cd84d92bfa5fe7e517bf9d2da2fec6b6677be39376de
-
SSDEEP
24576:VIY4MROxnFE38O3IrrcI0AilFEvxHPRoox:VaMiuZIrrcI0AilFEvxHP
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-