Resubmissions

03-10-2024 21:19

241003-z6m9fsxcjn 10

03-10-2024 21:14

241003-z3g82azhmb 10

03-10-2024 21:10

241003-z1h3jszglg 10

03-10-2024 21:03

241003-zv1emszeje 10

General

  • Target

    snos.exe

  • Size

    916KB

  • Sample

    241003-z1h3jszglg

  • MD5

    defc2abbed64bb0a53c7b9fa04d9d114

  • SHA1

    926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

  • SHA256

    4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

  • SHA512

    00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

  • SSDEEP

    24576:NVWC4MROxnFD3krXYf1rrcI0AilFEvxHPdmoo6:NqMiJtrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

45.200.148.205:10134

Mutex

2857e61aa1024db89df5be17078af5ab

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\sistemwinhost\winhost1235.exe

  • reconnect_delay

    10000

  • registry_keyname

    registry

  • taskscheduler_taskname

    registre

  • watchdog_path

    AppData\Servicemanagaer.exe

Targets

    • Target

      snos.exe

    • Size

      916KB

    • MD5

      defc2abbed64bb0a53c7b9fa04d9d114

    • SHA1

      926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

    • SHA256

      4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

    • SHA512

      00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

    • SSDEEP

      24576:NVWC4MROxnFD3krXYf1rrcI0AilFEvxHPdmoo6:NqMiJtrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks