General

  • Target

    cc62f528321a982a0a4925b02fab1fc14047242df2cde9274fc447606e4e8924

  • Size

    3.0MB

  • Sample

    241202-bfd14awngk

  • MD5

    92e8237b684a86a17b61183af6588b05

  • SHA1

    dfb87ecc85b2bf81119cde5f81e3e3d71e6158fc

  • SHA256

    cc62f528321a982a0a4925b02fab1fc14047242df2cde9274fc447606e4e8924

  • SHA512

    c6824826d496f1ba9057f6aeb3e0c30cec3dc5da6889a3d4de1f1b1d19be6a9aa50c4cbe73e159411b6eb899a704e20a3b7dce3f6beffc5a93e85a820d373b69

  • SSDEEP

    49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qb:CsHTPJg8z1mKnypSbRxo9JCm

Malware Config

Extracted

Family

orcus

Botnet

meow

C2

31.44.184.52:62676

Mutex

sudo_vmbntgqy8knzac4v2g38gwmfpx80fxps

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\Bluestacks_nxt\Bluestacks.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      cc62f528321a982a0a4925b02fab1fc14047242df2cde9274fc447606e4e8924

    • Size

      3.0MB

    • MD5

      92e8237b684a86a17b61183af6588b05

    • SHA1

      dfb87ecc85b2bf81119cde5f81e3e3d71e6158fc

    • SHA256

      cc62f528321a982a0a4925b02fab1fc14047242df2cde9274fc447606e4e8924

    • SHA512

      c6824826d496f1ba9057f6aeb3e0c30cec3dc5da6889a3d4de1f1b1d19be6a9aa50c4cbe73e159411b6eb899a704e20a3b7dce3f6beffc5a93e85a820d373b69

    • SSDEEP

      49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qb:CsHTPJg8z1mKnypSbRxo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks