General

  • Target

    3b19472241e59e8baa3feb629d6c9e544be3b1bdc3d729040cb6a75a0b9cbf5b

  • Size

    913KB

  • Sample

    240613-crst3a1cpc

  • MD5

    c5ff7003b1a4305baee4fb7f7a7e5134

  • SHA1

    a83ad77799a7c3baac548360dabbdfceba50e4ac

  • SHA256

    3b19472241e59e8baa3feb629d6c9e544be3b1bdc3d729040cb6a75a0b9cbf5b

  • SHA512

    12d6a508a7cd2f5ca31765e47a5496a06999120189544a15f5ff76cb2acf296d0cb6929eae929d433a1fcf4aaa9c5cd49f9779c9117a57183bb36fea98ab5ff8

  • SSDEEP

    24576:IeC4MROxnFSFPurerrcI0AilFEvxHPkoo/:IeMiZerrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

192.168.0.39:10134

Mutex

b2051884f41844f787e2ffc3e034cf99

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      3b19472241e59e8baa3feb629d6c9e544be3b1bdc3d729040cb6a75a0b9cbf5b

    • Size

      913KB

    • MD5

      c5ff7003b1a4305baee4fb7f7a7e5134

    • SHA1

      a83ad77799a7c3baac548360dabbdfceba50e4ac

    • SHA256

      3b19472241e59e8baa3feb629d6c9e544be3b1bdc3d729040cb6a75a0b9cbf5b

    • SHA512

      12d6a508a7cd2f5ca31765e47a5496a06999120189544a15f5ff76cb2acf296d0cb6929eae929d433a1fcf4aaa9c5cd49f9779c9117a57183bb36fea98ab5ff8

    • SSDEEP

      24576:IeC4MROxnFSFPurerrcI0AilFEvxHPkoo/:IeMiZerrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks