Overview

overview

10

Static

static

10

a1aceb4721...25.exe

windows7-x64

10

a1aceb4721...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1aceb472152e5f8a0da2389a13f2db959788d8790c97363dbf742ef966c5b25.exe

  • Size

    910KB

  • MD5

    8e3f383b02d4c62b543d5b7c56d4db79

  • SHA1

    53888e44275358a395630841a244d16226beb1dc

  • SHA256

    a1aceb472152e5f8a0da2389a13f2db959788d8790c97363dbf742ef966c5b25

  • SHA512

    c113e49c3221fb517d66d827a1f822e4133625535b9e950c08b7cc4adedbcd42297143d511fd8fd69adcd3818c24a631acc01afe9ed0206cc43b87fc5a1406c0

  • SSDEEP

    12288:/0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCg+34ai5V2Xopqi1n07dG1lFlWe:L2C4MROxnFRC8rrcI0AilFEvxHjoQJ

Score
10/10
orcusligeonratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1aceb472152e5f8a0da2389a13f2db959788d8790c97363dbf742ef966c5b25.exe
    "C:\Users\Admin\AppData\Local\Temp\a1aceb472152e5f8a0da2389a13f2db959788d8790c97363dbf742ef966c5b25.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3388-0-0x00007FFBFDA13000-0x00007FFBFDA15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3388-1-0x0000000000C40000-0x0000000000D2A000-memory.dmp

    Filesize

    936KB

    Download

  • memory/3388-2-0x0000000002E50000-0x0000000002EAC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/3388-3-0x0000000002E00000-0x0000000002E0E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3388-4-0x00007FFBFDA10000-0x00007FFBFE4D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3388-5-0x0000000002EB0000-0x0000000002EC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3388-6-0x0000000002E30000-0x0000000002E38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3388-7-0x0000000002EC0000-0x0000000002ED8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3388-9-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3388-8-0x000000001C920000-0x000000001CAE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3388-10-0x00007FFBFDA13000-0x00007FFBFDA15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3388-11-0x00007FFBFDA10000-0x00007FFBFE4D1000-memory.dmp

    Filesize

    10.8MB

    Download