orcus | asynced[.]exe | Triage

Sharing

General

Target

asynced.exe
Size

3.0MB
MD5

e9ef5e3e933bde251efc8782a144a914
SHA1

65391af972f53b83c3a25d01474908e247d29af9
SHA256

eaae55454ba3a037f6fc934d38fd9574da848fa7b6bfc0dcf986f9b43ea1e224
SHA512

c902c713e3c750ddd02c6d67efa7c12500acaf956ea69cb5bf6ea0dcdb0436d8b09971ef2ca47a39771bb20aa59b9a7072428d531eb519fa3fbf0b4d39841546
SSDEEP

49152:eNODf7+QSLqZeM9/04zgaMWUljQfJgVXkKAypQxb0/o9JnCmsWncFf0I74gu3zM:egyb2MnjQBEUNypSb6o9JCm

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

192.168.1.240:10134

Mutex

77864a0839f04e838299ef8d362eb706

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
asynced.exe

Files

asynced.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ