General
-
Target
acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521
-
Size
921KB
-
Sample
240627-brv4raxgmm
-
MD5
ffb0b2a6d13a400e4e05908cfe0e677b
-
SHA1
e27ecf8d074beb524219b6d9e563fc5f76cd0546
-
SHA256
acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521
-
SHA512
5ade0726c36bea2b02c9e9533bc166be4f3794bd78a15a814eb5be418794880c22987f434fcd51967f1c33c3550b671f257b9583121c6ef0c5f0231ccee897f3
-
SSDEEP
24576:ZCW4MROxnF43olqrrcI0AilFEvxHjiQ8:ZCVMiGrrrcI0AilFEvxHj
Behavioral task
behavioral1
Sample
acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
orcus
85.159.230.132:10134
0a90560fd1de4ef0859fc02bececce78
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\svhost\svhost.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\svhost.exe
Targets
-
-
Target
acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521
-
Size
921KB
-
MD5
ffb0b2a6d13a400e4e05908cfe0e677b
-
SHA1
e27ecf8d074beb524219b6d9e563fc5f76cd0546
-
SHA256
acbe32afbdf67ae6aa81e19f4cba285da5fec8b24163a369048a041729159521
-
SHA512
5ade0726c36bea2b02c9e9533bc166be4f3794bd78a15a814eb5be418794880c22987f434fcd51967f1c33c3550b671f257b9583121c6ef0c5f0231ccee897f3
-
SSDEEP
24576:ZCW4MROxnF43olqrrcI0AilFEvxHjiQ8:ZCVMiGrrrcI0AilFEvxHj
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-