orcus | 890a02f4e0c8bc09cfad53b688ad04016d8c78e94514e69684323598aabd6361 | Triage

Sharing

General

Target

890a02f4e0c8bc09cfad53b688ad04016d8c78e94514e69684323598aabd6361
Size

933KB
MD5

46418e78f2b8d6b8ff8069610f499921
SHA1

529fbc61339cf988b2d98a25a30bc548019c0125
SHA256

890a02f4e0c8bc09cfad53b688ad04016d8c78e94514e69684323598aabd6361
SHA512

1b1d97a413b0f2de21d056aac047c2f279a5b3c7314513a4f983262fb03eede5f065aaa2d02943b964dd9c4306db5f84a50889a280c6c2da97a94359a224ef69
SSDEEP

24576:yRP4MROxnFKj3wyv/rrcI0AilFEvxHPUooS:yyMi4TwurrcI0AilFEvxHP

Score

10^/10

vgbn orcus

Malware Config

Extracted

Family

orcus

Botnet

vgbn

C2

192.168.0.104:10134

Mutex

2efe898857ff456fbb532c7b6f2f16cb

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Windows\xcvbhdf.exe
reconnect_delay
10000
registry_keyname
xcvbhdf.exe
taskscheduler_taskname
xcvbhdf.exe
watchdog_path
AppData\asdfasdfasdf.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
890a02f4e0c8bc09cfad53b688ad04016d8c78e94514e69684323598aabd6361

Files

890a02f4e0c8bc09cfad53b688ad04016d8c78e94514e69684323598aabd6361
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 930KB - Virtual size: 929KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ