General
-
Target
htdhfrsfs.exe
-
Size
903KB
-
Sample
240920-1a3jyayhkp
-
MD5
942a8d7c0a5bdd9639ff9805365021a3
-
SHA1
019ebb82c3208968d53b03cb940fb342c85b6a6c
-
SHA256
a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807
-
SHA512
5484158ba1b75cee0a4111b2e53c46c266546906ade4ed516eac3b0c53536f5fbc7a6b3849fe345a0ae60f6955c5da83716f2fdb1f59a9183e847f5e3713512d
-
SSDEEP
12288:Z8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:m3s4MROxnF9LqrZlI0AilFEvxHinSo
Malware Config
Extracted
orcus
23.84.85.170:3389
466139a685e046efa39e67d19f3bebeb
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
htdhfrsfs.exe
-
Size
903KB
-
MD5
942a8d7c0a5bdd9639ff9805365021a3
-
SHA1
019ebb82c3208968d53b03cb940fb342c85b6a6c
-
SHA256
a7416cfb861ac1151c17305ec1b43f033729f637a0c74a15b3d0a85f68e90807
-
SHA512
5484158ba1b75cee0a4111b2e53c46c266546906ade4ed516eac3b0c53536f5fbc7a6b3849fe345a0ae60f6955c5da83716f2fdb1f59a9183e847f5e3713512d
-
SSDEEP
12288:Z8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:m3s4MROxnF9LqrZlI0AilFEvxHinSo
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-