orcus | 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc | Triage

Sharing

General

Target

72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
Size

3.0MB
MD5

595866ce3023aa7a94a221bcff8bfe15
SHA1

f1f8c080b238b7ea66d0d42732268fca9ae77364
SHA256

72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
SHA512

75a406fdb7b862786f9ad402ca475affad57393d604669b2912db5cca3193f538f4fa5512d5f1524bdff4006cacd0ec664b5451f18a292ae2f34e2686f2d5308
SSDEEP

49152:zkt1ZeM9/3EgHcyH4Z9fVTB4krLzS+HAypQxbOqUo9JnCmOK1IZfKGnlFr5Ixnc7:zktGjzD5rfLgypSbKo9JCm01n

Score

10^/10

standoff orcus

Malware Config

Extracted

Family

orcus

Botnet

Standoff

C2

vimeworldserverstat.serveminecraft.net:3306

Mutex

578e841011a443d284fea21232fbf3a6

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Syncing metadata\Explorer.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Explorer
watchdog_path
AppData\Node S2-N.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc

Files

72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ