Overview

overview

10

Static

static

10

5385775eb0...cf.exe

windows7-x64

10

5385775eb0...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5385775eb02f1181c9a4924d743dec44bce1e44f7e6a8d1ca4935ef9154538cf

  • Size

    3.0MB

  • Sample

    240726-bgx6cszbrf

  • MD5

    24785f32489b5e982b3ae6d22dd97d88

  • SHA1

    9d7a6c3f16441de12f077fab820185016ef21ba3

  • SHA256

    5385775eb02f1181c9a4924d743dec44bce1e44f7e6a8d1ca4935ef9154538cf

  • SHA512

    22bba6d1e9ec36ecb2fbc7002636b280213738a705b3d14c8f6c5c512dc8eb5d0b59c7d3cd3bbc078ca61d14be5045b4255ed213a89109114c48a354b788e57a

  • SSDEEP

    49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm

Score
10/10
orcusoda.execredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Oda.exe

C2

31.44.184.52:30891

Mutex

sudo_8nb7pejmn5cgvpylbyav5o4p3xxhvmb7

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\providertest\localmulti.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      5385775eb02f1181c9a4924d743dec44bce1e44f7e6a8d1ca4935ef9154538cf

    • Size

      3.0MB

    • MD5

      24785f32489b5e982b3ae6d22dd97d88

    • SHA1

      9d7a6c3f16441de12f077fab820185016ef21ba3

    • SHA256

      5385775eb02f1181c9a4924d743dec44bce1e44f7e6a8d1ca4935ef9154538cf

    • SHA512

      22bba6d1e9ec36ecb2fbc7002636b280213738a705b3d14c8f6c5c512dc8eb5d0b59c7d3cd3bbc078ca61d14be5045b4255ed213a89109114c48a354b788e57a

    • SSDEEP

      49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm

    Score
    10/10
    orcusoda.execredential_accessdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus main payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks