orcus | 9d1a39e73ff039fc87a595ee74b48e0f577f006df9fe810603796489c6c4b96f | Triage

Sharing

General

Target

9d1a39e73ff039fc87a595ee74b48e0f577f006df9fe810603796489c6c4b96f
Size

3.1MB
MD5

60e689d9402f24dad600545d15087980
SHA1

1f5dc014fadb6b8f71b9babe61a2071951070d38
SHA256

9d1a39e73ff039fc87a595ee74b48e0f577f006df9fe810603796489c6c4b96f
SHA512

4c23698a87d1b90ed9bb73677528d379d0be2b38b0f36c9825ef26fcd563e220390224221366d483d217958046144ee7f401408703df595fa71e40d61c456ca3
SSDEEP

49152:J8vzrnasoxYggPzr0KZatf9jxfzZKM61I8mC/Qg3zaY4MUpdgHAypQxbWo9JnCmg:J8vc1jxA1+C9DapRcgypSbWo9JCm

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

192.168.1.102:10135

Mutex

7525415d326f43ec9c2f59212362ba0b

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
9d1a39e73ff039fc87a595ee74b48e0f577f006df9fe810603796489c6c4b96f

Files

9d1a39e73ff039fc87a595ee74b48e0f577f006df9fe810603796489c6c4b96f
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ