General
-
Target
b2b799de79ae7073d1f92584000e7de9ac6ce223e1e1123b6960297df857dc17
-
Size
2.3MB
-
Sample
241226-bdr5yatjgq
-
MD5
640810384369b5434037b059e178d2cb
-
SHA1
67f0e5c4df09a2f6fe86574f681569e3d2bd8879
-
SHA256
b2b799de79ae7073d1f92584000e7de9ac6ce223e1e1123b6960297df857dc17
-
SHA512
b504a544392c24adb40fa75756470e47cf03b921f2c0bff7f24e3af3a58a6ef2d754a6149fbaba643b1c78d05c31896172863dcd2f4d33d0bf49c46240c81958
-
SSDEEP
49152:y4AMirXrrcI0AilFEvxHPLPUwXNYSLNTdqjy6:y4AtUwc
Malware Config
Extracted
orcus
System
199.195.253.181:25202
ecca0f439cec4158b200af951642a93a
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%appdata%\Microsoft\speech\voices\COM Surrogate.exe
-
reconnect_delay
10000
-
registry_keyname
COM_key
-
taskscheduler_taskname
COM start
-
watchdog_path
AppData\COM Surrogate.exe
Extracted
quasar
1.0.0
COM Surrogate
194.29.101.219:25201
45.91.92.112:25201
199.195.253.181:25201
6953938f-ba49-4496-840c-af4ae63c3c3e
-
encryption_key
23992CD46AE82E7A5F390707A57232703BF090FE
-
install_name
COM Surrogate.exe
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
COM Surrogate
-
subdirectory
Microsoft
Targets
-
-
Target
b2b799de79ae7073d1f92584000e7de9ac6ce223e1e1123b6960297df857dc17
-
Size
2.3MB
-
MD5
640810384369b5434037b059e178d2cb
-
SHA1
67f0e5c4df09a2f6fe86574f681569e3d2bd8879
-
SHA256
b2b799de79ae7073d1f92584000e7de9ac6ce223e1e1123b6960297df857dc17
-
SHA512
b504a544392c24adb40fa75756470e47cf03b921f2c0bff7f24e3af3a58a6ef2d754a6149fbaba643b1c78d05c31896172863dcd2f4d33d0bf49c46240c81958
-
SSDEEP
49152:y4AMirXrrcI0AilFEvxHPLPUwXNYSLNTdqjy6:y4AtUwc
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Orcurs Rat Executable
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1