Orat

Description

(SecureWorks) CTU researchers have only observed this basic loader tool in the context of BRONZE PRESIDENT intrusions. ORat is the name assigned by the malware author, as denoted by the program debug database string in the analyzed sample: D:\vswork\Plugin\ORat\build\Release\ORatServer\Loader.pdb. The tool uses the Windows Management Instrumentation (WMI) event consumer for persistence by installing a script to the system’s WMI registry. Messages sent from ORat to its command and control (C2) server start with the string ‘VIEWS0018x’. If the data received from the C2 server starts with the same string, then the remainder of the payload is decompressed using ORat’s ‘deflate’ algorithm and called as a function. ORat acts as a flexible loader tool rather than a fully featured remote access tool.

Names

Name
Orat

Type

Loader

Information

https://www.secureworks.com/research/bronze-president-targets-ngos

Other Information

Uuid

19552048-5564-480f-9e53-1411a008c8b4

Last Card Change

2022-04-04

Threat Intelligence Garden

Explorer

Orat

Orat

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks