Overview

overview

10

Static

static

3

057b9aed86...b1.exe

windows7-x64

10

057b9aed86...b1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    057b9aed86d82460255dcf944e207e2e4e09b50ce40752fa09c5a0f6df2d05b1

  • Size

    15.0MB

  • Sample

    241125-brszdszres

  • MD5

    36da3c890e67303d1204ac52266ea80d

  • SHA1

    8aadb0fd59dbd9653590cc4bf9fbb73ae8444767

  • SHA256

    057b9aed86d82460255dcf944e207e2e4e09b50ce40752fa09c5a0f6df2d05b1

  • SHA512

    3b79d4e8dfe6061f708b3f62df9c95a64d9c97c9522ade741a3275e1380b0176675d34f621282eadb96dcfac8736a5a8ae1ed492d4233b508300d17d94b0260f

  • SSDEEP

    24576:0DPS04YNEMuExDiU6E5R9s8xY/2l/dVBeIbt+rPULW:0Dl4auS+UjfU2T3eIbt+rMLW

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

147.185.221.23

communications-sugar.gl.at.ply.gg
Mutex

11ad7b9a9f3648a9919132ed4611b033

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    11/18/2024 13:11:11

  • plugins

    AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgOAA0ADEANwA3ADYAMQA1ADgAYgBkADIANAAwADkAOQBiADIAZQAyADIAMgBjADkAZgAxAGYAMwAzAGYAMAA2AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGEAZQBlAGIAYwBjAGUANwBkADAAZAAwADQANAA4ADEAYQA1AGYANwAxADAAMwBhAGYAOAAzADUAMAA2ADUAZQABAAAEBA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      057b9aed86d82460255dcf944e207e2e4e09b50ce40752fa09c5a0f6df2d05b1

    • Size

      15.0MB

    • MD5

      36da3c890e67303d1204ac52266ea80d

    • SHA1

      8aadb0fd59dbd9653590cc4bf9fbb73ae8444767

    • SHA256

      057b9aed86d82460255dcf944e207e2e4e09b50ce40752fa09c5a0f6df2d05b1

    • SHA512

      3b79d4e8dfe6061f708b3f62df9c95a64d9c97c9522ade741a3275e1380b0176675d34f621282eadb96dcfac8736a5a8ae1ed492d4233b508300d17d94b0260f

    • SSDEEP

      24576:0DPS04YNEMuExDiU6E5R9s8xY/2l/dVBeIbt+rPULW:0Dl4auS+UjfU2T3eIbt+rMLW

    Score
    10/10
    orcusdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks