General

  • Target

    Wave Trial.rar

  • Size

    2.6MB

  • Sample

    240728-mzwk2axanh

  • MD5

    f7bcc908772165281729d580dfac1e93

  • SHA1

    9ad85f734e6acff16e2a6a091ca7ae91f91ce09b

  • SHA256

    85bb2863655f93c060cdc223b65cf74bfc36ec3b168c9b276fff281c5de2f952

  • SHA512

    1bf46f1c39e81aaf0508346b10f55c0856c62bc5802a5de384a60e266462721ccbd9662610889bacde1e1d5e841f311fac142059986533942a0a3e47a39ff90d

  • SSDEEP

    49152:r4dFx1VbyuWNMUYDFoF2VR/pjoP5eDwPL3snpl82XP9tf3YGxDszrW5FdohxpEC:01EuBDFoFajoP+4MpC2/TAGxD24nSpEC

Malware Config

Extracted

Family

orcus

Botnet

Wave

C2

31.44.184.52:15288

Mutex

sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\securedatalifeasync\universal_.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      Wave.exe

    • Size

      3.0MB

    • MD5

      df016abe8bfe2653c1dca38309260358

    • SHA1

      253c95a2b7f13d39b9a03ba9a52785258e439340

    • SHA256

      328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d

    • SHA512

      3fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec

    • SSDEEP

      49152:B1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:BUHTPJg8z1mKnypSbRxo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks