orcus

General

Target

fffffffffff.exe
Size

840KB
Sample

241211-w7glhsyldr
MD5

bf3709975587af1ae764262fd2ce2f48
SHA1

de63b6c5b11653e8d777f8cbbf6018972413d44a
SHA256

4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33
SHA512

19d3ed22232c5f907b951935ff465bea24317421c47934032cb010f250eb8bdebfd6907a26b844716c4da1599d37c54e8275ce67f13810c9b064c962b84e4d94
SSDEEP

24576:dA8S04YNEMuExDiU6E5R9s8xY/2l/dV5Ibt+rk:dA04auS+UjfU2TbIbt+r

Score

10^/10

Malware Config

Extracted

Family

orcus

Botnet

drhdrhdrhdrh

C2

127.0.0.1

m5email-hitting.gl.at.ply.gg

Mutex

e3db35b9530943cab373c52757f1acfa

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
12/11/2024 19:30:42
plugins
AgEAAA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  fffffffffff.exe
- Size
  
  840KB
- MD5
  
  bf3709975587af1ae764262fd2ce2f48
- SHA1
  
  de63b6c5b11653e8d777f8cbbf6018972413d44a
- SHA256
  
  4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33
- SHA512
  
  19d3ed22232c5f907b951935ff465bea24317421c47934032cb010f250eb8bdebfd6907a26b844716c4da1599d37c54e8275ce67f13810c9b064c962b84e4d94
- SSDEEP
  
  24576:dA8S04YNEMuExDiU6E5R9s8xY/2l/dV5Ibt+rk:dA04auS+UjfU2TbIbt+r
Score

10^/10

orcus drhdrhdrhdrh discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2