General
-
Target
BoostWare Woofer.exe
-
Size
10.0MB
-
Sample
250228-mv35baysew
-
MD5
7a0de259284a750bc1b9e489a3c549ee
-
SHA1
8bd17616907d5adf94489d2d6c833c55425148d0
-
SHA256
6929f40d7bd70ce7e5189f9c940767d1d4426bcadd66828d1298ca96ffa44eb2
-
SHA512
8c0a47f0ed7a1d30e8a5de563debac0753eac29db92445c9b14cdb905a09a6a34d7adbdbdacae774ee962cfc6f6a5f357ed71931b488b8f174a3fa99134c3704
-
SSDEEP
196608:stDsBPeJ5EHWb/I0onV2TNRXbUgoL8aA0TO3e5bau5Zcx:0xAE/IJ2TNugUHNyu5M
Malware Config
Extracted
orcus
Fortnite
82.9.246.24:8808
f65beca88ddb49089d3a6be2931bc598
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Microsoft\Skype.exe
-
reconnect_delay
10000
-
registry_keyname
Skype
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\Skype.exe
Targets
-
-
Target
BoostWare Woofer.exe
-
Size
10.0MB
-
MD5
7a0de259284a750bc1b9e489a3c549ee
-
SHA1
8bd17616907d5adf94489d2d6c833c55425148d0
-
SHA256
6929f40d7bd70ce7e5189f9c940767d1d4426bcadd66828d1298ca96ffa44eb2
-
SHA512
8c0a47f0ed7a1d30e8a5de563debac0753eac29db92445c9b14cdb905a09a6a34d7adbdbdacae774ee962cfc6f6a5f357ed71931b488b8f174a3fa99134c3704
-
SSDEEP
196608:stDsBPeJ5EHWb/I0onV2TNRXbUgoL8aA0TO3e5bau5Zcx:0xAE/IJ2TNugUHNyu5M
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1