General

  • Target

    72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c

  • Size

    3.0MB

  • Sample

    240703-bdngratbqj

  • MD5

    0bbd9bfe28fdd6f61582c5b06c3f592f

  • SHA1

    c16d94dd136b8a4199a4d6edb80de798dfbe44e4

  • SHA256

    72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c

  • SHA512

    993f0b532a72e7cd0bf98ca588ff1c3ce5ae10c30407b66cdf47dd599a4fb30e59839badf28ee3cfc02ab91130b5b5b89173f0c02e7be80c60ed2695f6d03349

  • SSDEEP

    49152:4caN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCm/WncFf0I74gu35kM:4h0wGGzBjryX82uypSb9ndo9JCm

Malware Config

Extracted

Family

orcus

C2

5.29.153.174:2315

Mutex

2889f4dd8f0745d8a986434159494918

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\kernel\kernel.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    kerneltask

  • watchdog_path

    AppData\SystemKernel.exe

Targets

    • Target

      72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c

    • Size

      3.0MB

    • MD5

      0bbd9bfe28fdd6f61582c5b06c3f592f

    • SHA1

      c16d94dd136b8a4199a4d6edb80de798dfbe44e4

    • SHA256

      72f9504b130153501946181572ec2defba3bff65f5eda1cc99316dd6c870d01c

    • SHA512

      993f0b532a72e7cd0bf98ca588ff1c3ce5ae10c30407b66cdf47dd599a4fb30e59839badf28ee3cfc02ab91130b5b5b89173f0c02e7be80c60ed2695f6d03349

    • SSDEEP

      49152:4caN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCm/WncFf0I74gu35kM:4h0wGGzBjryX82uypSb9ndo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks