Overview

overview

10

Static

static

10

e28e0b202b...77.exe

windows7-x64

10

e28e0b202b...77.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477

  • Size

    918KB

  • Sample

    240717-bfsjgsyfkl

  • MD5

    5474ceea6b0979ae2b41e0ce1ced76f2

  • SHA1

    e054f4a3f77f6c65a931489c6c3245ee65f9afab

  • SHA256

    e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477

  • SHA512

    7bae6b92178ccbe72c705ccebc8be74bf0bb2c788e1b99cefe0d0d8fd9c30a0e9de5e9b7a99754192ce3111234eca4787332994661463d85df9f9be958411230

  • SSDEEP

    24576:1G+4MROxnFH3iRM4lrrcI0AilFEvxHPeooM:1WMihillrrcI0AilFEvxHP

Score
10/10
orcusratspywarestealer

Malware Config

Extracted

Family

orcus

C2

147.185.221.21:18264

Mutex

9ba7e84f7b7f4dda90da4044a35cb212

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Windows Fonts\FontDriver.exe

  • reconnect_delay

    10000

  • registry_keyname

    FontDriver

  • taskscheduler_taskname

    WindowsFontDriver

  • watchdog_path

    AppData\lssas.exe

Targets

    • Target

      e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477

    • Size

      918KB

    • MD5

      5474ceea6b0979ae2b41e0ce1ced76f2

    • SHA1

      e054f4a3f77f6c65a931489c6c3245ee65f9afab

    • SHA256

      e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477

    • SHA512

      7bae6b92178ccbe72c705ccebc8be74bf0bb2c788e1b99cefe0d0d8fd9c30a0e9de5e9b7a99754192ce3111234eca4787332994661463d85df9f9be958411230

    • SSDEEP

      24576:1G+4MROxnFH3iRM4lrrcI0AilFEvxHPeooM:1WMihillrrcI0AilFEvxHP

    Score
    10/10
    orcusratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcurs Rat Executable

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks