Overview

overview

10

Static

static

10

b46ca3e280...46.exe

windows7-x64

10

b46ca3e280...46.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b46ca3e280c9c9d86e111e56f53373336260a7cb5365d869e7d75bcfcd516846

  • Size

    1.8MB

  • Sample

    241129-bek31ssqaj

  • MD5

    7198068d0bacbf0fc100501e1277a12e

  • SHA1

    d5b6f1d6657049e22fa0afd33cd67a6da23f50d9

  • SHA256

    b46ca3e280c9c9d86e111e56f53373336260a7cb5365d869e7d75bcfcd516846

  • SHA512

    5fe588e906d78985dfc81241c62b8d1765bad528e4a5bcf0a43ea1e9b639a5fbba8f1dc3b7c0e9d89ad61c5ac26326aef02e8f673869ba5ef8b86a607983f0ec

  • SSDEEP

    49152:xeMibK7U6rrcI0AilFEvxHP4MrLocaKjGs:xeS3

Score
10/10
orcussolaradiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

solara

C2

212.15.49.233:5050

Mutex

094a584ddb794dbe9ff094ec5bbdb4d1

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    SystemSettings

  • taskscheduler_taskname

    UserOOBEBroker

  • watchdog_path

    AppData\taskhostw.exe

Targets

    • Target

      b46ca3e280c9c9d86e111e56f53373336260a7cb5365d869e7d75bcfcd516846

    • Size

      1.8MB

    • MD5

      7198068d0bacbf0fc100501e1277a12e

    • SHA1

      d5b6f1d6657049e22fa0afd33cd67a6da23f50d9

    • SHA256

      b46ca3e280c9c9d86e111e56f53373336260a7cb5365d869e7d75bcfcd516846

    • SHA512

      5fe588e906d78985dfc81241c62b8d1765bad528e4a5bcf0a43ea1e9b639a5fbba8f1dc3b7c0e9d89ad61c5ac26326aef02e8f673869ba5ef8b86a607983f0ec

    • SSDEEP

      49152:xeMibK7U6rrcI0AilFEvxHP4MrLocaKjGs:xeS3

    Score
    10/10
    orcussolaradiscoveryratspywarestealer

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcus main payload

    • Orcurs Rat Executable

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks