General

  • Target

    071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da

  • Size

    924KB

  • Sample

    240616-bd4hzawfpq

  • MD5

    29afdcfe266af8444aafbc4725d63ae5

  • SHA1

    ed72a7261a22fa5335a8830d757d909b3620a840

  • SHA256

    071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da

  • SHA512

    4de70d4c4742faaa349ff6aa8908b28825edf90ee32ef27c7a494808c3ca50d12eb0736e6e8c791fa63e03ae08200ca50f58df5f9661756cff3422c3ca2429e2

  • SSDEEP

    24576:CIY4MROxnFE38O3IrrcI0AilFEvxHPwKoob:CaMiuZIrrcI0AilFEvxHPw

Malware Config

Extracted

Family

orcus

C2

192.168.0.101:5656

Mutex

33fdee79e66a4cc2b2137624e8250ad4

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    executor

  • taskscheduler_taskname

    Solaras

  • watchdog_path

    AppData\Solara.exe

Targets

    • Target

      071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da

    • Size

      924KB

    • MD5

      29afdcfe266af8444aafbc4725d63ae5

    • SHA1

      ed72a7261a22fa5335a8830d757d909b3620a840

    • SHA256

      071072d35d25a35b3b83cf879c3abec0cbc8b04fd6302c5f6f5380d3576a09da

    • SHA512

      4de70d4c4742faaa349ff6aa8908b28825edf90ee32ef27c7a494808c3ca50d12eb0736e6e8c791fa63e03ae08200ca50f58df5f9661756cff3422c3ca2429e2

    • SSDEEP

      24576:CIY4MROxnFE38O3IrrcI0AilFEvxHPwKoob:CaMiuZIrrcI0AilFEvxHPw

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks