General

  • Target

    75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

  • Size

    914KB

  • Sample

    240629-bdjtkazfjq

  • MD5

    8f4a262076a343c306b3e45a01c0a532

  • SHA1

    ffd57f1068cf5f7acb5f359b5e1a947ab04ab186

  • SHA256

    75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

  • SHA512

    4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e

  • SSDEEP

    24576:vk84MROxnFR3NRirZlI0AilFEvxHi985o:vkPMijirZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

Botnet

lox

C2

8.tcp.ngrok.io:14334

Mutex

97a795082d1b4d009c62ffc5af327057

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

    • Size

      914KB

    • MD5

      8f4a262076a343c306b3e45a01c0a532

    • SHA1

      ffd57f1068cf5f7acb5f359b5e1a947ab04ab186

    • SHA256

      75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

    • SHA512

      4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e

    • SSDEEP

      24576:vk84MROxnFR3NRirZlI0AilFEvxHi985o:vkPMijirZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks