Overview

overview

10

Static

static

10

segseg.exe

windows7-x64

10

segseg.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    segseg.exe

  • Size

    839KB

  • Sample

    241128-yp5xhaylbw

  • MD5

    0994b37669146a1384224c18299c054f

  • SHA1

    cf9e3baf60db3b3813a87eaf8d1281105adab7f4

  • SHA256

    a83d873568dd41be58d05aa7085684f05793bde5d5c28a1b2070e3a5f16bbfb8

  • SHA512

    536162a78038e954bab16dd79284a71fa05faf69476a4cf7579c40b2446fe93b85889e00ee98c4087954bb498ae437634010b81b091a18c69488b6a68adf69da

  • SSDEEP

    24576:r+QS04YNEMuExDiU6E5R9s8xY/2l/dQIbt+rm:r+44auS+UjfU2TQIbt+r

Score
10/10
orcusawegawegdiscoveryevasionratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

awegaweg

C2

127.0.0.1

m5email-hitting.gl.at.ply.gg
Mutex

325f1a6979b8439d8f6f8ffa11007658

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    11/28/2024 20:57:44

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      segseg.exe

    • Size

      839KB

    • MD5

      0994b37669146a1384224c18299c054f

    • SHA1

      cf9e3baf60db3b3813a87eaf8d1281105adab7f4

    • SHA256

      a83d873568dd41be58d05aa7085684f05793bde5d5c28a1b2070e3a5f16bbfb8

    • SHA512

      536162a78038e954bab16dd79284a71fa05faf69476a4cf7579c40b2446fe93b85889e00ee98c4087954bb498ae437634010b81b091a18c69488b6a68adf69da

    • SSDEEP

      24576:r+QS04YNEMuExDiU6E5R9s8xY/2l/dQIbt+rm:r+44auS+UjfU2TQIbt+r

    Score
    10/10
    orcusawegawegdiscoveryratspywarestealerevasion

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks