General

  • Target

    a83f4eca80ef34fb03c41b13e784d5fb2b17408e0e44be4c4ab06df3239e4273.exe

  • Size

    2.4MB

  • Sample

    241124-avy45s1lbp

  • MD5

    cc144a1c7ea70734f64c7e12f01225da

  • SHA1

    c505a0ca7d2df3887e929878a07b4deee5a8856b

  • SHA256

    a83f4eca80ef34fb03c41b13e784d5fb2b17408e0e44be4c4ab06df3239e4273

  • SHA512

    7e7820f90379a18a6f629fb4c152021f1eff1da9a25ee8723e494630a7bba1c7061b2071b558bb0ef90fa076a96f24b13977bc6eaac4f1bc7b1443bde17a8b38

  • SSDEEP

    49152:WUZpaTotR8lX5xVzBs1iUEhdXv1s57SzyLKVFICWSWyYX3rLYFnB:PaTq8PzbTXv2lKVyQeWB

Malware Config

Extracted

Family

orcus

Botnet

warface

C2

95.217.141.218:25565

Mutex

d9ad65394c624b9b95453d26cab4c9e1

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    WindowsDefender

  • taskscheduler_taskname

    WindowsDefender

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      a83f4eca80ef34fb03c41b13e784d5fb2b17408e0e44be4c4ab06df3239e4273.exe

    • Size

      2.4MB

    • MD5

      cc144a1c7ea70734f64c7e12f01225da

    • SHA1

      c505a0ca7d2df3887e929878a07b4deee5a8856b

    • SHA256

      a83f4eca80ef34fb03c41b13e784d5fb2b17408e0e44be4c4ab06df3239e4273

    • SHA512

      7e7820f90379a18a6f629fb4c152021f1eff1da9a25ee8723e494630a7bba1c7061b2071b558bb0ef90fa076a96f24b13977bc6eaac4f1bc7b1443bde17a8b38

    • SSDEEP

      49152:WUZpaTotR8lX5xVzBs1iUEhdXv1s57SzyLKVFICWSWyYX3rLYFnB:PaTq8PzbTXv2lKVyQeWB

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks