orcus | e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477 | Triage

Sharing

General

Target

e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477
Size

918KB
MD5

5474ceea6b0979ae2b41e0ce1ced76f2
SHA1

e054f4a3f77f6c65a931489c6c3245ee65f9afab
SHA256

e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477
SHA512

7bae6b92178ccbe72c705ccebc8be74bf0bb2c788e1b99cefe0d0d8fd9c30a0e9de5e9b7a99754192ce3111234eca4787332994661463d85df9f9be958411230
SSDEEP

24576:1G+4MROxnFH3iRM4lrrcI0AilFEvxHPeooM:1WMihillrrcI0AilFEvxHP

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

147.185.221.21:18264

Mutex

9ba7e84f7b7f4dda90da4044a35cb212

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Windows Fonts\FontDriver.exe
reconnect_delay
10000
registry_keyname
FontDriver
taskscheduler_taskname
WindowsFontDriver
watchdog_path
AppData\lssas.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477

Files

e28e0b202b118fc3c98e7887eff1f65214d1d4c51dad6b7db86d09913b493477
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 915KB - Virtual size: 914KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ