General

  • Target

    dickmedown.exe

  • Size

    915KB

  • Sample

    240806-n4hemssdmc

  • MD5

    816e2bdaa95db7d567c96316888ced40

  • SHA1

    b56a69a350eaed78a4f37fc78a3adedb0fcc48a4

  • SHA256

    c63478d09c4947499eb077a2a9cca07a07e837841a19ca3c8d02dac158e5aaaf

  • SHA512

    6de21c0fd00e074cc7e34efad8be696238a25d2910777379256468e0bc99caba2320cc7bc2ecc758f61c052b6eaa7f201ff57841289bc53504849299fefa365a

  • SSDEEP

    12288:W0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCucpCwFuCQaUepPToIp7dG1lFlG:UU04MROxnFeUrrcI0AilFEvxHPqcoos

Malware Config

Extracted

Family

orcus

Botnet

free client from my cumslut

C2

community-married.gl.at.ply.gg:14614

Mutex

bef7c7ea99c940fd82bf56700ce32a12

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Windows6969\WindowsSexMachine.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      dickmedown.exe

    • Size

      915KB

    • MD5

      816e2bdaa95db7d567c96316888ced40

    • SHA1

      b56a69a350eaed78a4f37fc78a3adedb0fcc48a4

    • SHA256

      c63478d09c4947499eb077a2a9cca07a07e837841a19ca3c8d02dac158e5aaaf

    • SHA512

      6de21c0fd00e074cc7e34efad8be696238a25d2910777379256468e0bc99caba2320cc7bc2ecc758f61c052b6eaa7f201ff57841289bc53504849299fefa365a

    • SSDEEP

      12288:W0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCucpCwFuCQaUepPToIp7dG1lFlG:UU04MROxnFeUrrcI0AilFEvxHPqcoos

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks