General
-
Target
2fcc4cf0002dd0872f5d103d4a304e7b1737df8a36964bae6c3ba6b22f41b70e
-
Size
3.0MB
-
Sample
240719-bh58csydqa
-
MD5
2878272d78af181a0113ac8fc9044c16
-
SHA1
600add857652ceb29fd034aac7cac537c3f27bf4
-
SHA256
2fcc4cf0002dd0872f5d103d4a304e7b1737df8a36964bae6c3ba6b22f41b70e
-
SHA512
a3e2f9a86e6b3f0ccd35eb4be0856b8869eff929d28ce48b0ffbb6c090179f07dd5fa29f16f184b9be688abeeb10cfa2b27c85cc12b994fdbab6ac68c429888e
-
SSDEEP
49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb3:YUHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:29730
sudo_euije6lcd38yeu6jb7zgq4cm0g94j305
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\protectsecure\packetline.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Targets
-
-
Target
2fcc4cf0002dd0872f5d103d4a304e7b1737df8a36964bae6c3ba6b22f41b70e
-
Size
3.0MB
-
MD5
2878272d78af181a0113ac8fc9044c16
-
SHA1
600add857652ceb29fd034aac7cac537c3f27bf4
-
SHA256
2fcc4cf0002dd0872f5d103d4a304e7b1737df8a36964bae6c3ba6b22f41b70e
-
SHA512
a3e2f9a86e6b3f0ccd35eb4be0856b8869eff929d28ce48b0ffbb6c090179f07dd5fa29f16f184b9be688abeeb10cfa2b27c85cc12b994fdbab6ac68c429888e
-
SSDEEP
49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb3:YUHTPJg8z1mKnypSbRxo9JCm
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-