orcus | UZI[.]bat | Triage

Sharing

General

Target

UZI.bat
Size

1.1MB
MD5

8704d08e0f525a4845031d66f64382ac
SHA1

a2f1438cbfa9692a467d816bbd04658191567719
SHA256

6eb1179500bba11bb328612e0938cd5753d6569a45882a0ecc210f29fa5a7d54
SHA512

3fca1309c6c02d917d67531f8083039812c9ba70bce4e6b3f8b3f7ece9229ab9598ecf5aeb56df4825f43264fba18c9f2cd2c0a4f7516d8fbe8ba5cc7db42b45
SSDEEP

24576:Fam4MROxnF4HrrcI0AilFEvxHPRZoo1jXb2:FOMiaHrrcI0AilFEvxHPjr

Score

10^/10

orcus

Malware Config

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
UZI.bat

Files

UZI.bat
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ