General
-
Target
c5ad23faa63952a9c2a6f26fdbc0996bf7b44ba0c566b209a9fa0ffd97404cd2N
-
Size
3.0MB
-
Sample
240922-g8wphawcnq
-
MD5
5487d71c19c09ded835191e89feba640
-
SHA1
6c13f1e61e8cf66ae728a53c49497899def41092
-
SHA256
c5ad23faa63952a9c2a6f26fdbc0996bf7b44ba0c566b209a9fa0ffd97404cd2
-
SHA512
0d17303a9bc1903d298eb5d6cc8d1d36bfa1950c9fe14d8d03623381c5d4f75f5e6eb376474b4d67081906630459be4374a980992622515b3646170b8b8f6181
-
SSDEEP
49152:dsFN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmwWncFf0I74gu3+SM:do0wGGzBjryX82uypSb9ndo9JCm
Malware Config
Extracted
orcus
voidsystems.duckdns.org:23210
db2de9eb436a494988e51052087353b5
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\KernelGuard\SafeGuard.exe
-
reconnect_delay
10000
-
registry_keyname
KernelEncryptionProtocolKEP
-
taskscheduler_taskname
SafeGuard
-
watchdog_path
AppData\KernelAntiLoopGuard
Targets
-
-
Target
c5ad23faa63952a9c2a6f26fdbc0996bf7b44ba0c566b209a9fa0ffd97404cd2N
-
Size
3.0MB
-
MD5
5487d71c19c09ded835191e89feba640
-
SHA1
6c13f1e61e8cf66ae728a53c49497899def41092
-
SHA256
c5ad23faa63952a9c2a6f26fdbc0996bf7b44ba0c566b209a9fa0ffd97404cd2
-
SHA512
0d17303a9bc1903d298eb5d6cc8d1d36bfa1950c9fe14d8d03623381c5d4f75f5e6eb376474b4d67081906630459be4374a980992622515b3646170b8b8f6181
-
SSDEEP
49152:dsFN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmwWncFf0I74gu3+SM:do0wGGzBjryX82uypSb9ndo9JCm
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-