orcus | svchost[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

svchost.zip
Size

603KB
MD5

c420f16f72eb6b02e478c150bd8d1b0f
SHA1

11131a558cb2741678e1714ed31da9c056b87d45
SHA256

866ba410a22bf3c20b1b2dd45dd998bc5d8c0df40a01b6eda76f79408b0b559e
SHA512

ad862ce0ca9939283a26e0586cb9cf2658c64e4f935fdbacec6b02ceec7448cab453105d091e140f278127566b1614cfe648272dfd66380338f4451438500f71
SSDEEP

12288:tzDma+dG6K3lPYT70IKYr2nfaaqaYHLVaguJE4zKnI:t2a222H2fjYHRaguJEcKI

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

195.88.218.203:2404

Mutex

096ac5ab5bb94a738ad20ab436aa477a

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\svchost\svchost.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\svchost.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
static1/unpack001/svchost.exe	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
static1/unpack001/svchost.exe	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/svchost.exe

Files

svchost.zip
.zip
svchost.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 921KB - Virtual size: 920KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ