General

  • Target

    Rc7- Cracked by Roque Exploitzz.exe

  • Size

    907KB

  • Sample

    240723-j8y6qsweqb

  • MD5

    5668bd983341f9ffd4726d887090b64c

  • SHA1

    1a150545d2fb65240101f9466b1043269b379f25

  • SHA256

    afb1bf7f37ba0ff0ccd8fa29c7089abc4975fef56155ab9f3c1535fea70b1f0d

  • SHA512

    0dcb2b2a1c2ee10c3b3727e3cfde698ec339569003bc3e18a6b76de65e7497080799d2e52fae234cb4e5ab518a296bf0d4f2f350f0571a1b39bc8b3e584c6ed1

  • SSDEEP

    24576:nhv4MROxnFj3IrkxrrcI0AilFEvxHPyooT:nKMi1UqrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

wowthatsagoodmeme.ddns.net:10134

Mutex

4be6c8113962424a916b8095b89af0c9

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %appdata%\WlNDOWS DEFENDER\UPDATER.exe

  • reconnect_delay

    10000

  • registry_keyname

    Wlndows Defender

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\%appdata%/WlNDOWS DEFENDER/WlNDOWS DEFENDER UPDATER.exe

Targets

    • Target

      Rc7- Cracked by Roque Exploitzz.exe

    • Size

      907KB

    • MD5

      5668bd983341f9ffd4726d887090b64c

    • SHA1

      1a150545d2fb65240101f9466b1043269b379f25

    • SHA256

      afb1bf7f37ba0ff0ccd8fa29c7089abc4975fef56155ab9f3c1535fea70b1f0d

    • SHA512

      0dcb2b2a1c2ee10c3b3727e3cfde698ec339569003bc3e18a6b76de65e7497080799d2e52fae234cb4e5ab518a296bf0d4f2f350f0571a1b39bc8b3e584c6ed1

    • SSDEEP

      24576:nhv4MROxnFj3IrkxrrcI0AilFEvxHPyooT:nKMi1UqrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks