General
-
Target
75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1
-
Size
914KB
-
Sample
240629-bdjtkazfjq
-
MD5
8f4a262076a343c306b3e45a01c0a532
-
SHA1
ffd57f1068cf5f7acb5f359b5e1a947ab04ab186
-
SHA256
75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1
-
SHA512
4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e
-
SSDEEP
24576:vk84MROxnFR3NRirZlI0AilFEvxHi985o:vkPMijirZlI0AilFEvxHi
Behavioral task
behavioral1
Sample
75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe
Resource
win7-20240221-en
Malware Config
Extracted
orcus
lox
8.tcp.ngrok.io:14334
97a795082d1b4d009c62ffc5af327057
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1
-
Size
914KB
-
MD5
8f4a262076a343c306b3e45a01c0a532
-
SHA1
ffd57f1068cf5f7acb5f359b5e1a947ab04ab186
-
SHA256
75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1
-
SHA512
4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e
-
SSDEEP
24576:vk84MROxnFR3NRirZlI0AilFEvxHi985o:vkPMijirZlI0AilFEvxHi
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-