General

  • Target

    acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521

  • Size

    921KB

  • Sample

    240627-brv4raxgmm

  • MD5

    ffb0b2a6d13a400e4e05908cfe0e677b

  • SHA1

    e27ecf8d074beb524219b6d9e563fc5f76cd0546

  • SHA256

    acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521

  • SHA512

    5ade0726c36bea2b02c9e9533bc166be4f3794bd78a15a814eb5be418794880c22987f434fcd51967f1c33c3550b671f257b9583121c6ef0c5f0231ccee897f3

  • SSDEEP

    24576:ZCW4MROxnF43olqrrcI0AilFEvxHjiQ8:ZCVMiGrrrcI0AilFEvxHj

Malware Config

Extracted

Family

orcus

C2

85.159.230.132:10134

Mutex

0a90560fd1de4ef0859fc02bececce78

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\svhost\svhost.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\svhost.exe

Targets

    • Target

      acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521

    • Size

      921KB

    • MD5

      ffb0b2a6d13a400e4e05908cfe0e677b

    • SHA1

      e27ecf8d074beb524219b6d9e563fc5f76cd0546

    • SHA256

      acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521

    • SHA512

      5ade0726c36bea2b02c9e9533bc166be4f3794bd78a15a814eb5be418794880c22987f434fcd51967f1c33c3550b671f257b9583121c6ef0c5f0231ccee897f3

    • SSDEEP

      24576:ZCW4MROxnF43olqrrcI0AilFEvxHjiQ8:ZCVMiGrrrcI0AilFEvxHj

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks