General
-
Target
xda.exe
-
Size
3.0MB
-
Sample
241028-kkeb4avgjm
-
MD5
cf6aa82e9cb164a4ddd30a1f77db1eb7
-
SHA1
60790744a396419695221c39aee74672bc67fa66
-
SHA256
e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
-
SHA512
e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
-
SSDEEP
49152:XzTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmWrZEIN:XzTtODUKTslWp2MpbfGGilIJPypSbxE8
Malware Config
Extracted
orcus
89.23.100.155:1337
d058ef377b7f46bea0e52b669562775b
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
xda.exe
-
Size
3.0MB
-
MD5
cf6aa82e9cb164a4ddd30a1f77db1eb7
-
SHA1
60790744a396419695221c39aee74672bc67fa66
-
SHA256
e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
-
SHA512
e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
-
SSDEEP
49152:XzTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmWrZEIN:XzTtODUKTslWp2MpbfGGilIJPypSbxE8
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload
-
UAC bypass
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1