welcome to netwrkspider

Friday, February 8, 2019

Orcus RAT IOC Details

A new highly sophisticated campaign that delivers the Orcus RAT embedded in video files and Images. The campaign mainly focuses on information stealing and .NET evasion.
The Orcus RAT is capable of steal browser cookies and passwords, launch server stress tests (DDoS attacks), disable the webcam activity light, record microphone input, spoof file extensions, log keystrokes and more.

IOC Details :

URLs
hxxps://syswow32batch[.]su/WOW/
hxxps://salesgroup[.]top/Micro18/
hxxp://bit[.]ly/2FRI9rE
hxxps://paste[.]ee/r/bOZW3
hxxps://paste[.]ee/r/O53RV
hxxps://pomf.pyonpyon[.]moe/wmtqck.mp4
hxxps://pomf.pyonpyon[.]moe/ggesuy.jpg (different info stealer)

Downloader:
2091F8A68BE181B0149C83DCBF2CFC05

MP4 Advertisement (embedded Orcus RAT)
09751BF69D496AAA3C92DF5ED446785B (mp4)
161307CD9FA201256B0D17D9F3085E78F32D642A (embedded Orcus)

C2:
weirdly.crabdance[.]com
poulty55.chickenkiller[.]com
194.5.98[.]139:9030




No comments: