Analysis
-
max time kernel
1188s -
max time network
1198s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 16:57
Behavioral task
behavioral1
Sample
java.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
java.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
java.exe
Resource
win10v2004-20240709-en
General
-
Target
java.exe
-
Size
912KB
-
MD5
ded3e760ff8be2ba3644390356a06ecc
-
SHA1
bf35f9633107ec72a57157f24c4f080ed9203dd6
-
SHA256
8fe37b9605617ca26443064f74eaaf156f43c7ef80deaecdc71eb5688f4cc255
-
SHA512
11b7d51395a6dd952a231f093b79df87a1de7e62be6d9a8aadf73dc4dd20c8557b636bafd50672cdb06607bfcffe713685f51f218b7679e07177a42ff931bc62
-
SSDEEP
12288:c0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCjRzUefAUQGYppMku77dG1lFlWu:gOK4MROxnFHVorrcI0AilFEvxHjWQg
Malware Config
Extracted
orcus
0.tcp.eu.ngrok.io:10019
a6fa2ae42e784c859e6a44e0e55cd75b
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
Processes:
resource yara_rule behavioral3/memory/2304-1-0x0000000000220000-0x000000000030A000-memory.dmp orcus -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
Processes:
flow ioc 72 0.tcp.eu.ngrok.io 78 0.tcp.eu.ngrok.io 91 0.tcp.eu.ngrok.io 103 0.tcp.eu.ngrok.io 154 0.tcp.eu.ngrok.io 6 0.tcp.eu.ngrok.io 85 0.tcp.eu.ngrok.io 145 0.tcp.eu.ngrok.io 97 0.tcp.eu.ngrok.io 132 0.tcp.eu.ngrok.io 120 0.tcp.eu.ngrok.io 126 0.tcp.eu.ngrok.io 134 0.tcp.eu.ngrok.io 139 0.tcp.eu.ngrok.io 151 0.tcp.eu.ngrok.io 109 0.tcp.eu.ngrok.io 113 0.tcp.eu.ngrok.io -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
java.exedescription pid Process Token: SeDebugPrivilege 2304 java.exe