General

  • Target

    3570ab4d0875c600215d15ba9d9e439c5a61b16fb40b50c0202097dbca58ee5d

  • Size

    921KB

  • Sample

    240616-bjwejswhrq

  • MD5

    5dc7ba557d1063adef1eb6ddd8e0fd7e

  • SHA1

    0e5a33a81db4709ddfc591c8b2dc5ec1958fc0ca

  • SHA256

    3570ab4d0875c600215d15ba9d9e439c5a61b16fb40b50c0202097dbca58ee5d

  • SHA512

    2b3da40b9684d6e1aac29967ddaa1a300b59afd4b9b59b74e094c66d20cae979c9a9780c202d4e3ad96270dd06820df500b5bfb798129dbbb8cb0254f9360a56

  • SSDEEP

    24576:5ey4MROxnFt3/YrrcI0AilFEvxHPUooL:5aMijgrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

te1.tunnelin.com:58172

Mutex

db6d3ae780044a5887936785b42c15ad

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programdata%\Microsoft Security\ntoskrnl.exe

  • reconnect_delay

    10000

  • registry_keyname

    Windows Defender

  • taskscheduler_taskname

    Microsoft_Security

  • watchdog_path

    Temp\5BE731319AC3C9A3FBF49A732595E665F.exe

Targets

    • Target

      3570ab4d0875c600215d15ba9d9e439c5a61b16fb40b50c0202097dbca58ee5d

    • Size

      921KB

    • MD5

      5dc7ba557d1063adef1eb6ddd8e0fd7e

    • SHA1

      0e5a33a81db4709ddfc591c8b2dc5ec1958fc0ca

    • SHA256

      3570ab4d0875c600215d15ba9d9e439c5a61b16fb40b50c0202097dbca58ee5d

    • SHA512

      2b3da40b9684d6e1aac29967ddaa1a300b59afd4b9b59b74e094c66d20cae979c9a9780c202d4e3ad96270dd06820df500b5bfb798129dbbb8cb0254f9360a56

    • SSDEEP

      24576:5ey4MROxnFt3/YrrcI0AilFEvxHPUooL:5aMijgrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks