General

  • Target

    MalwareBazaar.0

  • Size

    3.0MB

  • Sample

    240728-wlmweazflh

  • MD5

    df016abe8bfe2653c1dca38309260358

  • SHA1

    253c95a2b7f13d39b9a03ba9a52785258e439340

  • SHA256

    328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d

  • SHA512

    3fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec

  • SSDEEP

    49152:B1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:BUHTPJg8z1mKnypSbRxo9JCm

Malware Config

Extracted

Family

orcus

Botnet

Wave

C2

31.44.184.52:15288

Mutex

sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\securedatalifeasync\universal_.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      MalwareBazaar.0

    • Size

      3.0MB

    • MD5

      df016abe8bfe2653c1dca38309260358

    • SHA1

      253c95a2b7f13d39b9a03ba9a52785258e439340

    • SHA256

      328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d

    • SHA512

      3fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec

    • SSDEEP

      49152:B1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:BUHTPJg8z1mKnypSbRxo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.