General
-
Target
5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c
-
Size
4.0MB
-
Sample
241208-vhhlvazkds
-
MD5
8b0fa2f9a7d3822c44580a49dd546c97
-
SHA1
e90ac8103e2877a3c607fd8e4bdcd4a132846015
-
SHA256
5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c
-
SHA512
2f168cfaf3cab1ab5cf274bc7983a64587fd26487fffa733393146e02ea609c0a0ed8f4527b58ad82416557afe91d1efa0b11afd35fbdfce7bc7a48a77c23680
-
SSDEEP
98304:MANuSZTKA0t9FFPEE6zTOwlRVny+pnp4huLe1ypSb3o9JCm:/bk9fcHiwVyWRi1ypS6JC
Malware Config
Extracted
orcus
45.74.38.211:4782
5473b263a5de48aaabfe373bccf83dd2
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Extracted
https://exodus.lat/COMSurrogate.exe
Targets
-
-
Target
5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c
-
Size
4.0MB
-
MD5
8b0fa2f9a7d3822c44580a49dd546c97
-
SHA1
e90ac8103e2877a3c607fd8e4bdcd4a132846015
-
SHA256
5765545ccc1b99ac6ac37b2d6e2a8cbaf3e30f767b069620a734c3f8022db39c
-
SHA512
2f168cfaf3cab1ab5cf274bc7983a64587fd26487fffa733393146e02ea609c0a0ed8f4527b58ad82416557afe91d1efa0b11afd35fbdfce7bc7a48a77c23680
-
SSDEEP
98304:MANuSZTKA0t9FFPEE6zTOwlRVny+pnp4huLe1ypSb3o9JCm:/bk9fcHiwVyWRi1ypS6JC
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
-
Ta505 family
-
UAC bypass
-
XMRig Miner payload
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Orcurs Rat Executable
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2