General

  • Target

    7076a4830f2294b3f5ed5f695a6809bf30d2532fe768a579e8a13d6ed90d957a

  • Size

    917KB

  • Sample

    240615-bqkavsxgnp

  • MD5

    b89e484260d55420abd2837adf1fbb5e

  • SHA1

    25f5e70c144f9bf3383892104c82f7382f824424

  • SHA256

    7076a4830f2294b3f5ed5f695a6809bf30d2532fe768a579e8a13d6ed90d957a

  • SHA512

    983f3116111a999f316d494a7db538e6f9a2f2f2fa811fb08e28628a435876e7c52577f2998f3e700599d128c95f4afa189e117f3cda7003694de65a423c2952

  • SSDEEP

    24576:+554MROxnFD3cw8XlrrcI0AilFEvxHPhCoog:+QMiJArrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

selected-prove.gl.at.ply.gg:23398

Mutex

607dffe61a7d4757a14c10330fc5e802

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Microsoft\Edge\Application\msupdate.exe

  • reconnect_delay

    10000

  • registry_keyname

    Microsoft Edgde Updater

  • taskscheduler_taskname

    Microsoft Edge Runtime

  • watchdog_path

    Temp\ALKI@#PI!J)PRa)(r.exe

Targets

    • Target

      7076a4830f2294b3f5ed5f695a6809bf30d2532fe768a579e8a13d6ed90d957a

    • Size

      917KB

    • MD5

      b89e484260d55420abd2837adf1fbb5e

    • SHA1

      25f5e70c144f9bf3383892104c82f7382f824424

    • SHA256

      7076a4830f2294b3f5ed5f695a6809bf30d2532fe768a579e8a13d6ed90d957a

    • SHA512

      983f3116111a999f316d494a7db538e6f9a2f2f2fa811fb08e28628a435876e7c52577f2998f3e700599d128c95f4afa189e117f3cda7003694de65a423c2952

    • SSDEEP

      24576:+554MROxnFD3cw8XlrrcI0AilFEvxHPhCoog:+QMiJArrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks