orcus

General

Target

b2e7f5497b0cc51ccc1ef2ae65965b2afc47a6149aea27801f23a638c7838d2f
Size

840KB
Sample

241127-brhteswmcn
MD5

56a5bd1af43f7dafd36f07bcd326f38f
SHA1

95658d034db1988a810a90279cf040bd64e47b23
SHA256

b2e7f5497b0cc51ccc1ef2ae65965b2afc47a6149aea27801f23a638c7838d2f
SHA512

81a3ff8e73cd8e96aa3aa1c32969ff5bd953a99f811074d26682506e02f545f3ece338a125c381c9ec3ccc7e38d4814d5ffb26c6c994792fa9b4f3a2b234e9bc
SSDEEP

24576:csiS04YNEMuExDiU6E5R9s8xY/2l/d+5Ibt+r6:cs+4auS+UjfU2TgIbt+r

Score

10^/10

Malware Config

Extracted

Family

orcus

Botnet

Kompas Group

C2

157.245.148.149

Mutex

0ffda661718f499f923d5abfac3f086f

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
2
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
11/21/2024 23:25:08
plugins
AgEAAA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  b2e7f5497b0cc51ccc1ef2ae65965b2afc47a6149aea27801f23a638c7838d2f
- Size
  
  840KB
- MD5
  
  56a5bd1af43f7dafd36f07bcd326f38f
- SHA1
  
  95658d034db1988a810a90279cf040bd64e47b23
- SHA256
  
  b2e7f5497b0cc51ccc1ef2ae65965b2afc47a6149aea27801f23a638c7838d2f
- SHA512
  
  81a3ff8e73cd8e96aa3aa1c32969ff5bd953a99f811074d26682506e02f545f3ece338a125c381c9ec3ccc7e38d4814d5ffb26c6c994792fa9b4f3a2b234e9bc
- SSDEEP
  
  24576:csiS04YNEMuExDiU6E5R9s8xY/2l/d+5Ibt+r6:cs+4auS+UjfU2TgIbt+r
Score

10^/10

orcus kompas group discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2