General
-
Target
22b3ae08b6c95e534fc9b50db814578f8c10e35eb7f6b20981c26c94fd46ff86
-
Size
3.0MB
-
Sample
250202-bkgyjsylhx
-
MD5
46bf501110b6d9833998f55f9f1fe133
-
SHA1
57aff0efc8f0271423e7e18105b9f6ee64f474f3
-
SHA256
22b3ae08b6c95e534fc9b50db814578f8c10e35eb7f6b20981c26c94fd46ff86
-
SHA512
3f79d213774a07f3cc5a8de5f2d7f874b68da312fee787186f31aa401cf979a755ec20ad094af9ee5e738a8d8b8d6cd7c98bd2b447197ac283a398f5324e252d
-
SSDEEP
49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qbO:CsHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:53590
sudo_tew5o0qgm5zk0uh6hmogc19xixt7kypy
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\linelocal\gamelow.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Targets
-
-
Target
22b3ae08b6c95e534fc9b50db814578f8c10e35eb7f6b20981c26c94fd46ff86
-
Size
3.0MB
-
MD5
46bf501110b6d9833998f55f9f1fe133
-
SHA1
57aff0efc8f0271423e7e18105b9f6ee64f474f3
-
SHA256
22b3ae08b6c95e534fc9b50db814578f8c10e35eb7f6b20981c26c94fd46ff86
-
SHA512
3f79d213774a07f3cc5a8de5f2d7f874b68da312fee787186f31aa401cf979a755ec20ad094af9ee5e738a8d8b8d6cd7c98bd2b447197ac283a398f5324e252d
-
SSDEEP
49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qbO:CsHTPJg8z1mKnypSbRxo9JCm
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-