General

  • Target

    1.exe

  • Size

    3.0MB

  • Sample

    241008-phlevazgnb

  • MD5

    1c3d920e9083781d881ed09efe737e3e

  • SHA1

    db0d3e1c5622f439265fc49112717e134c9a8d4c

  • SHA256

    75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

  • SHA512

    526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949

  • SSDEEP

    49152:GXbEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmlcrZEu:GXbtODUKTslWp2MpbfGGilIJPypSbxEb

Malware Config

Extracted

Family

orcus

C2

Ezling-25441.portmap.host:25441

Mutex

d9a68a06158a4170bbc5f456a7f7076a

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      1.exe

    • Size

      3.0MB

    • MD5

      1c3d920e9083781d881ed09efe737e3e

    • SHA1

      db0d3e1c5622f439265fc49112717e134c9a8d4c

    • SHA256

      75bc4d362485bf57a072a62a3c11d6590a38a43598eb1ce259c50a0cb0a578de

    • SHA512

      526edeffdbcfa77a2179038adef5e624e18e20413ec789f41f427dd71cb33dacf827c4a505b31cd5f1e49d164dfd25f21233f2069521f0d8c5b4a4ebf9c4b949

    • SSDEEP

      49152:GXbEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmlcrZEu:GXbtODUKTslWp2MpbfGGilIJPypSbxEb

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks