General
-
Target
6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706.exe
-
Size
6.9MB
-
Sample
241207-c7x4qaxneq
-
MD5
a67e34baacfca98f323981d3b0087f3b
-
SHA1
d22ccae2971df83812acaebc750d9a2c87357fe5
-
SHA256
6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
-
SHA512
39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d
-
SSDEEP
196608:cALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:a6fuiPrfZ1RBP60bs25rXQ66WnG
Malware Config
Extracted
orcus
45.74.38.211:4782
7a9c0f279c464958aebbd585f20f1cf2
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Extracted
https://exodus.lat/COMSurrogate.exe
Targets
-
-
Target
6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706.exe
-
Size
6.9MB
-
MD5
a67e34baacfca98f323981d3b0087f3b
-
SHA1
d22ccae2971df83812acaebc750d9a2c87357fe5
-
SHA256
6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
-
SHA512
39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d
-
SSDEEP
196608:cALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:a6fuiPrfZ1RBP60bs25rXQ66WnG
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
-
Ta505 family
-
XMRig Miner payload
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Orcurs Rat Executable
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2