orcus

General

Target

Client.exe
Size

5.8MB
Sample

240917-gd67raxbrg
MD5

57dfdf38348f8f1430f0d9fbb7f37fa6
SHA1

1b3f170ff4dae721729a33f6464c2b2d6c2546c2
SHA256

1d8d04c3cfe2446ece5d63576fa87c6aeffc6d2b04ee9b13e43855537a2b1d3e
SHA512

42bd9bba3b3313ecbd19113fbab1a78235d08f1543e85b6b33022184f4c49058449e2659540b59cd1c6a9a3ddf59a8e158b815f8425e17b19b6a9c49826b778f
SSDEEP

49152:56gv1mu0ZaRMU2dPmbhmKq47StgZRveKmgxZXJQt:5D0Zy6KmKqigg7vgg35G

Score

10^/10

Malware Config

Extracted

Family

orcus

C2

0.0.0.0:10134

Mutex

b2423402dbd44d55b000965e89fc8d6e

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\SoundCloud\Client.exe
reconnect_delay
10000
registry_keyname
UsermodeFontDriverHost
taskscheduler_taskname
UsermodeFontDriverHost
watchdog_path
Temp\Usermode Font Driver Host.exe

Targets

- Target
  
  Client.exe
- Size
  
  5.8MB
- MD5
  
  57dfdf38348f8f1430f0d9fbb7f37fa6
- SHA1
  
  1b3f170ff4dae721729a33f6464c2b2d6c2546c2
- SHA256
  
  1d8d04c3cfe2446ece5d63576fa87c6aeffc6d2b04ee9b13e43855537a2b1d3e
- SHA512
  
  42bd9bba3b3313ecbd19113fbab1a78235d08f1543e85b6b33022184f4c49058449e2659540b59cd1c6a9a3ddf59a8e158b815f8425e17b19b6a9c49826b778f
- SSDEEP
  
  49152:56gv1mu0ZaRMU2dPmbhmKq47StgZRveKmgxZXJQt:5D0Zy6KmKqigg7vgg35G
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcurs Rat Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2