General
-
Target
Wave Trial.rar
-
Size
2.6MB
-
MD5
f7bcc908772165281729d580dfac1e93
-
SHA1
9ad85f734e6acff16e2a6a091ca7ae91f91ce09b
-
SHA256
85bb2863655f93c060cdc223b65cf74bfc36ec3b168c9b276fff281c5de2f952
-
SHA512
1bf46f1c39e81aaf0508346b10f55c0856c62bc5802a5de384a60e266462721ccbd9662610889bacde1e1d5e841f311fac142059986533942a0a3e47a39ff90d
-
SSDEEP
49152:r4dFx1VbyuWNMUYDFoF2VR/pjoP5eDwPL3snpl82XP9tf3YGxDszrW5FdohxpEC:01EuBDFoFajoP+4MpC2/TAGxD24nSpEC
Malware Config
Extracted
orcus
Wave
31.44.184.52:15288
sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\securedatalifeasync\universal_.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
Processes:
resource yara_rule static1/unpack001/Wave.exe orcus -
Orcus family
-
Orcus main payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/Wave.exe family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/Wave.exe
Files
-
Wave Trial.rar.rar
-
Wave.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 3.0MB - Virtual size: 3.0MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 23KB - Virtual size: 23KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ