General

  • Target

    374a4654f2a5ef4061fdf971cb43f808b16502e4eab1c0f969d2a7194e6dee0c

  • Size

    915KB

  • Sample

    240623-bga1tsxclm

  • MD5

    5068ade29bf53c33416a18110c7abe26

  • SHA1

    9ac01bd400d816ff2cbe003d1f4a729d6cb20615

  • SHA256

    374a4654f2a5ef4061fdf971cb43f808b16502e4eab1c0f969d2a7194e6dee0c

  • SHA512

    649630c6b5959cb3e35e707748afda96b9ab21b247a8e5440a9a0c665da4ef030f7d71216b6a05bf99a4d6c86353dfa9a26507ea7a9b356fbdab2d031e93d5e7

  • SSDEEP

    24576:CEqr4MROxnFi3PrkrZlI0AilFEvxHijb:CEjMioPwrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

192.168.56.1:10134

Mutex

e1b0180577ab46efa4733e10a6bd85df

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Nursultan

  • watchdog_path

    AppData\CrackLauncher.exe

Targets

    • Target

      374a4654f2a5ef4061fdf971cb43f808b16502e4eab1c0f969d2a7194e6dee0c

    • Size

      915KB

    • MD5

      5068ade29bf53c33416a18110c7abe26

    • SHA1

      9ac01bd400d816ff2cbe003d1f4a729d6cb20615

    • SHA256

      374a4654f2a5ef4061fdf971cb43f808b16502e4eab1c0f969d2a7194e6dee0c

    • SHA512

      649630c6b5959cb3e35e707748afda96b9ab21b247a8e5440a9a0c665da4ef030f7d71216b6a05bf99a4d6c86353dfa9a26507ea7a9b356fbdab2d031e93d5e7

    • SSDEEP

      24576:CEqr4MROxnFi3PrkrZlI0AilFEvxHijb:CEjMioPwrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks