Resubmissions

26-10-2024 23:19

241026-3a1rfsxrgm 10

26-10-2024 23:18

241026-3absbs1fnl 10

26-10-2024 23:16

241026-29dkjaymaw 10

General

  • Target

    test.exe

  • Size

    3.0MB

  • Sample

    241026-3a1rfsxrgm

  • MD5

    7b3150ddd3df859f8f6f36cb041b23f7

  • SHA1

    c3934ab76025c17cab3d309a96c1e32df9ad9d65

  • SHA256

    675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

  • SHA512

    a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214

  • SSDEEP

    49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

Malware Config

Extracted

Family

orcus

C2

Index1337z-43991.portmap.host:43991

Mutex

be9b19219c62425cbffd5b98125d81a6

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      test.exe

    • Size

      3.0MB

    • MD5

      7b3150ddd3df859f8f6f36cb041b23f7

    • SHA1

      c3934ab76025c17cab3d309a96c1e32df9ad9d65

    • SHA256

      675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

    • SHA512

      a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214

    • SSDEEP

      49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcus main payload

    • UAC bypass

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Checks whether UAC is enabled

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

MITRE ATT&CK Enterprise v15

Tasks