orcus | 9fa4cccfa53bad5661ce943e04c9be90N | Triage

Sharing

General

Target

9fa4cccfa53bad5661ce943e04c9be90N
Size

903KB
MD5

9fa4cccfa53bad5661ce943e04c9be90
SHA1

56e7b9ff0e9cb7f4c051a87d2d09f7af153228c0
SHA256

20393d6470b7bc3377893a522fa0d1e55683a583263e581d7460e3cd8e6155f2
SHA512

382b4e97dc9b0465e21866f957181756d1ebb6f98d562bd8771632af905b1cc5e3761dfd438c0de2a72ce6439427e07b7429875ecc0cbff9aa0e99cc62296696
SSDEEP

12288:j0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCBfm9rR6W7BaepBwzo7dG1lFlWV:gam4MROxnF4HrrcI0AilFEvxHPToo1

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

s1.putinso.site:2047

Mutex

c324c0dedf48483e98d1048845609497

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%appdata%\mine\updater.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
updater
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
9fa4cccfa53bad5661ce943e04c9be90N

Files

9fa4cccfa53bad5661ce943e04c9be90N
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 898KB - Virtual size: 897KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ