General
-
Target
72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c
-
Size
3.0MB
-
Sample
240703-bdngratbqj
-
MD5
0bbd9bfe28fdd6f61582c5b06c3f592f
-
SHA1
c16d94dd136b8a4199a4d6edb80de798dfbe44e4
-
SHA256
72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c
-
SHA512
993f0b532a72e7cd0bf98ca588ff1c3ce5ae10c30407b66cdf47dd599a4fb30e59839badf28ee3cfc02ab91130b5b5b89173f0c02e7be80c60ed2695f6d03349
-
SSDEEP
49152:4caN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCm/WncFf0I74gu35kM:4h0wGGzBjryX82uypSb9ndo9JCm
Behavioral task
behavioral1
Sample
72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c.exe
Resource
win7-20240221-en
Malware Config
Extracted
orcus
5.29.153.174:2315
2889f4dd8f0745d8a986434159494918
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\kernel\kernel.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
kerneltask
-
watchdog_path
AppData\SystemKernel.exe
Targets
-
-
Target
72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c
-
Size
3.0MB
-
MD5
0bbd9bfe28fdd6f61582c5b06c3f592f
-
SHA1
c16d94dd136b8a4199a4d6edb80de798dfbe44e4
-
SHA256
72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c
-
SHA512
993f0b532a72e7cd0bf98ca588ff1c3ce5ae10c30407b66cdf47dd599a4fb30e59839badf28ee3cfc02ab91130b5b5b89173f0c02e7be80c60ed2695f6d03349
-
SSDEEP
49152:4caN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCm/WncFf0I74gu35kM:4h0wGGzBjryX82uypSb9ndo9JCm
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-