Overview

overview

10

Static

static

10

32d8c2a1bb...53.exe

windows7-x64

10

32d8c2a1bb...53.exe

windows10-2004-x64

10

Resubmissions

11-01-2025 19:31

250111-x8ghksxjfw 10

11-01-2025 19:28

250111-x6tecsxjds 10

11-01-2025 19:27

250111-x58gwszjbn 10

11-01-2025 19:25

250111-x43v1swrhz 10

11-01-2025 19:22

250111-x272ysyrcl 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.zip

  • Size

    259KB

  • Sample

    250111-x58gwszjbn

  • MD5

    5a2a602b512859b2fcd5a200b5a4fea2

  • SHA1

    eb19baacf4231c4c75c2dd9a9cb620a9b40f4c97

  • SHA256

    de405e80d59503bf1ac724e65aea61f0c6849311338fa120c9a01354228d0ef9

  • SHA512

    3682cb064e0705ae80e2a8c86937f47271368aa3f79151908771212bc29dcaeae4035545e6b21d5f402c60e05b00ddd30ebc8e71498d207cc8fabf0556689845

  • SSDEEP

    6144:w6dYAV0Ut3QtBpXjXq2O/KM1fgyY8niM/a00iBrZIVjmRhaiMTYXZ:XQuQRrnfM1087y00iB2VjSHyYJ

Score
10/10
orcusremcosfivempaydaytrydiscoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

paydaytry

C2

198.50.242.157:443

apleegodfivem.ddns.net:443
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    GoogleUpdate.exe

  • copy_folder

    GoogleDat

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    bootdata

  • mouse_option

    false

  • mutex

    Attempt-S4A0CI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    ChromeUpdater

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

orcus

Botnet

FIVEM

C2

198.50.242.157:3846

Mutex

7c8e6bec5a514abfa98e8c7d116e215a

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\GoogleChromeUpt\Updater.exe

  • reconnect_delay

    10000

  • registry_keyname

    ChromeStarter

  • taskscheduler_taskname

    Start

  • watchdog_path

    AppData\ChromeDEV.exe

Targets

    • Target

      32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe

    • Size

      469KB

    • MD5

      991e707e324731f86a43900e34070808

    • SHA1

      5b5afd8cecb865de3341510f38d217f47490eead

    • SHA256

      32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153

    • SHA512

      07411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79

    • SSDEEP

      12288:wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQScn9:wiLJbpI7I2WhQqZ7c9

    Score
    10/10
    orcusremcosfivempaydaytrydiscoveryevasionpersistenceratspywarestealertrojan

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcus main payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • UAC bypass

      evasiontrojan

    • Orcurs Rat Executable

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks