Behavioral task
behavioral1
Sample
chinesespy.exe
Resource
win7-20241010-en
General
-
Target
chinesespy.exe
-
Size
903KB
-
MD5
45b933296191359f5a8dc178c2fb5fe2
-
SHA1
a8670c1bf5622de1d0fe26dcd7f1b48d2c98db18
-
SHA256
b8a15311ed13113ed3f7247859db765c5034151e31ccccbc0651b43c0e9709cc
-
SHA512
d7be0a68d3f67ecbaff1a27e44a4daa45c38e8d845c1ff4dd7b4f64b91661b35f795803c32e16923ebbc474111752fee44293876da61a5c889f033c696cd5b85
-
SSDEEP
12288:O0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCBfm9rR6W7BaepBwzo7dG1lFlWs:Dam4MROxnF4HrrcI0AilFEvxHPUoo1
Malware Config
Extracted
orcus
171.113.133.41:10134
52365d581fe14390b774a210d03d4b04
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule sample orcus -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule sample family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource chinesespy.exe
Files
-
chinesespy.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 898KB - Virtual size: 897KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ