orcus | f39d2fd8ade05fe148543b7f0ef29d50cc07e63f16ec68ebcbda78d254585102

General

Target

f39d2fd8ade05fe148543b7f0ef29d50cc07e63f16ec68ebcbda78d254585102
Size

915KB
MD5

19fa8a03adf350cd95bf2b1fc2573cda
SHA1

eea30cdea85c3b4afc41ab4801920adc505b60a0
SHA256

f39d2fd8ade05fe148543b7f0ef29d50cc07e63f16ec68ebcbda78d254585102
SHA512

72316d36d0617b5607e4b04e29378262ad181d15541196745f1a6bbafff0cb0bd24c44249258ff9da0d3bea144e597fb876d0ba9a09147ebfa0dddfe6add296f
SSDEEP

24576:YGq4MROxnFi37scrrcI0AilFEvxHPLoo9:YuMiogcrrcI0AilFEvxHP

Score

10^/10

skr orcus

Malware Config

Extracted

Family

orcus

Botnet

skr

C2

192.168.100.6:11111

Mutex

b3aa60325c6047f096cc62b26c15372c

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
NvNodeLauncher_{B2F71952-0186-46C3-BAEC-A80AA35AC5B8}
taskscheduler_taskname
NvNodeLauncher_{B8FV1952-S1Y6-46D3-B8EC-A8VAA355C5B8}
watchdog_path
Temp\bcastdvr.exe

Signatures

Orcurs Rat Executable 1 IoCs

Processes:

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
f39d2fd8ade05fe148543b7f0ef29d50cc07e63f16ec68ebcbda78d254585102

Files

f39d2fd8ade05fe148543b7f0ef29d50cc07e63f16ec68ebcbda78d254585102
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 912KB - Virtual size: 912KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 912KB - Virtual size: 912KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 912KB - Virtual size: 912KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B