General
-
Target
123123.exe
-
Size
903KB
-
Sample
240919-zrhenazhpn
-
MD5
be600c84c2975ab640487f7d896080d8
-
SHA1
6eb2dbaace9f52f08000908c82b02827ca401838
-
SHA256
f053cf0164ed9a1c81f220ae3d1002acb7d4fb0154ee9e08588a6d24f84a24f1
-
SHA512
9b5c0aaa3dbd61f8d2aaecb2b44de0d1bb47e72f42bd63d3f46b7c95feeed2271ed5ee497e27da5ca09dbd4429a08230c8a5f4bd1fef9b71024dd33e5f95fadb
-
SSDEEP
12288:g8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:R3s4MROxnF9LqrZlI0AilFEvxHi+o
Malware Config
Extracted
orcus
23.84.85.170:8888
6c8f63d94afe4a09b223a2e8da9b77f3
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
123123.exe
-
Size
903KB
-
MD5
be600c84c2975ab640487f7d896080d8
-
SHA1
6eb2dbaace9f52f08000908c82b02827ca401838
-
SHA256
f053cf0164ed9a1c81f220ae3d1002acb7d4fb0154ee9e08588a6d24f84a24f1
-
SHA512
9b5c0aaa3dbd61f8d2aaecb2b44de0d1bb47e72f42bd63d3f46b7c95feeed2271ed5ee497e27da5ca09dbd4429a08230c8a5f4bd1fef9b71024dd33e5f95fadb
-
SSDEEP
12288:g8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:R3s4MROxnF9LqrZlI0AilFEvxHi+o
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-