orcus

Sharing

Copy URL

Twitter E-mail

General

Target

Ghosty Permanent Spoofer.rar
Size

33.5MB
Sample

241227-lq4dvatqdk
MD5

44a687ff5f4954f86d0a911cec843437
SHA1

c0379b53e62c3aa490435ebec901442cf637d0e7
SHA256

873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b
SHA512

9b352b9ba5c0daec9dde3d73d1c13188e19af6590b15f66fcde0337dd1e7a4b8f14913239b1706c057cd0aad91c7b67c8396fb7d28012fb28b13e21585a703a8
SSDEEP

786432:lUyKIZaUx0zxV3l24EosGt9DVfXfIV3iqpGjRSoBFwTWT:lzlN07V243/9RIpiCG9HwTK

Score

10^/10

Malware Config

Extracted

Family

orcus

another-contains.gl.at.ply.gg

Mutex

a49af69032c94d6fa7c0d2639d32f038

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
12/24/2024 02:03:43
plugins
AgUFyOzBvwKV1wLetwKoxrcNilV/bBUKRwBhAG0AZQByACAAVgBpAGUAdwAHAzEALgAyAEEgYgA2ADkAZgA0ADUAZQBiADYANgAxADYANAA2ADAAZgA5AGUAMQAwADIAMgBkADcANwA3ADMAMABmADAANwAzAAIAAAACAg==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  Ghosty Permanent Spoofer/GHOSTYFN.exe
- Size
  
  6.1MB
- MD5
  
  73c7cc676ab19d426f2745ef261d6349
- SHA1
  
  f217a78eb2beddcbf5bb00c229a96f9ffaa98a0d
- SHA256
  
  4a513270a4d7e85bdc8dfe9adea3b190cfc055e562060c2be9389336333864a0
- SHA512
  
  40f69adef5b8de42283ff0539cf0f0259ed9d23baa4e87c63e594fe12ca7f35e73dc3a0d6a66dd13a584d0e1569940026bc49d41f95a1f23c0c3fd810613ad36
- SSDEEP
  
  98304:BwalpQAdxjrQaMQZZV4g0rvnkVKg9JmcDiCwGDz+Uog9XhhFyoL:JjTrusV4fvuH938Sn9X9t
Score

10^/10

orcus defense_evasion discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2
- Target
  
  Ghosty Permanent Spoofer/KA-LicenseKey_x86_x64_v1.1.exe
- Size
  
  5.3MB
- MD5
  
  efab4965da18f638ba67ece790fded62
- SHA1
  
  27687605909f5a885d78268a5fe0112723049581
- SHA256
  
  93679af51f96edfa02cabea6801aba4484a90449745e2aa78afbd3e13fc1e070
- SHA512
  
  66e86dca1427245f6ea454287012ece56d44315310b531dd625c2336b26ba4bef2e9f0c8c70649f7e8ec3c3181ed5080c0e72833ea9b43bd742bdeb08b2691dd
- SSDEEP
  
  98304:t287e9Cg7HpxtbymElTE89gcTaqNTP3f8aPWIKz86PB3/dnDc5Fy/OIkvU:887ejpbyVlbD/evz8cxaFePks
Score

1^/10
behavioral3 behavioral4
- Target
  
  Ghosty Permanent Spoofer/KA-MemIntegrity_x86_x64_v1.1.exe
- Size
  
  351KB
- MD5
  
  877a111203c6c66509c6a946822050aa
- SHA1
  
  bb88e7134729d0fa32335a573881f0bc73c298fe
- SHA256
  
  b0080c00e9fbe13df87806bd20826eb9735a8b67f3f6aae58b3b370ed381003c
- SHA512
  
  2723aaa1c12e7c64617da1a543c22f7a92a7df42cd825b78585711aaa650b330bfe75716fd5924e1b5b3d17ece2e6c9c2d69641ae1cc2b5e4889eff8cbef97a7
- SSDEEP
  
  3072:v+iP3g1kBnFMYuOiFUlTRqg2VeHeKj6zJW9HTfYCf0ctQ46YLQhruyF0gXgv:v+tkFMYViFUlTRzye8NWpBYRwv
Score

1^/10
behavioral5 behavioral6
- Target
  
  Ghosty Permanent Spoofer/SafeGuard-Library.dll
- Size
  
  12.5MB
- MD5
  
  0ba40688b6a23948b2bd929dd2777a59
- SHA1
  
  bc109471bb84c7dc05ee6b1b63eae36c0e6ab209
- SHA256
  
  4e3eca4adbe0c4fede28228239dd93bb866ecd0415569ede6464d796e8d1a3a8
- SHA512
  
  104b2e48779d9e1f534ceb546f911e535eda1b2645f494313df661aceca41c134d3a10b3e97a00ddf4a40556421369fff3872e466357743bc21ea19e0b0c2156
- SSDEEP
  
  196608:SOHt8K/1aCIGzofI1PRcndumYBy9HwMmoiODwuNaENvHkSGC/jcZ1yRTs6:1Hp/ggMIpOnXu2Y0wugOvHaZZUBB
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  Ghosty Permanent Spoofer/VMProtectSDK64.dll
- Size
  
  116KB
- MD5
  
  ba5cf8079fa68d90a2e6497d3c5711c1
- SHA1
  
  66b3c641ccd9a04ebf35ea868548bf58de295a11
- SHA256
  
  ae22254e2b5c5557f35a170696d53e847018221dcd4cc70c153c36ecdd891f81
- SHA512
  
  8537604678bed001aca037d94c80d8d1dd3da3d5bf806fa687f44a093cb07a316dcef084b572b4fd9b3cd2d93fedc7db66a817b27f395a772f3b844509c30156
- SSDEEP
  
  3072:cmcqYHq7Aiytzg2ScpvgJcG5sqYX6UJHslBS:l0Hq7AiyegZgJZSXhMH
Score

1^/10
behavioral10 behavioral9
- Target
  
  Ghosty Permanent Spoofer/brotlicommon.dll
- Size
  
  134KB
- MD5
  
  f2e401ec1c85ba69b28cca6e814afe3c
- SHA1
  
  9d7d78e98fae9c22a2ff4a938672c3fe37589738
- SHA256
  
  b9b868f703ccb61ec15d14dcc738c4a4eebcc59c2f827090e7ced2f91c9debd7
- SHA512
  
  605f0fa4d301519b07bb542ec215e9fa1d7426129c1b8a8de56e5418c3e64867d1f54ece273ff070b8ca4c5bf39dbdebbdddd83d6be6e701bb160b95b4597be1
- SSDEEP
  
  3072:Wsu4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBbd:Wsu4AhdNorGvHdbi09GJ1d
Score

1^/10
behavioral11 behavioral12
- Target
  
  Ghosty Permanent Spoofer/brotlidec.dll
- Size
  
  49KB
- MD5
  
  b388b7f74802614467a17854b4bf75ff
- SHA1
  
  0ec7a95503e27ee4735e0c4a7051125ece957ab1
- SHA256
  
  da4996a4d6b9e18c3ebce85b5fbd5666950e69e5d0e31afa2eef550c2671bd93
- SHA512
  
  7c45a583cacf798b36fc6241397536ecb2eb9a846531fa8906c5c93e0680151ab9cf448bfb5a229c38fac8d4b83cdb044f05b95bada5a047e4acbcbc64c4d0d8
- SSDEEP
  
  768:5GsldGuGMH5uA7IsAkEw6qDbYpz+piuazQxARbYs30yMYRk:5dXn5h8sFEw6qbYF+A1nXRk
Score

1^/10
behavioral13 behavioral14
- Target
  
  Ghosty Permanent Spoofer/bz2.dll
- Size
  
  74KB
- MD5
  
  d31259e39bc2690a34448601e0bf105f
- SHA1
  
  e5339404e51f56cc0349b250adb7e61dd4b22476
- SHA256
  
  c94f3302b33c45a35ba83448c111dd0138a49d6355c943af0ea40bc8014a991b
- SHA512
  
  79261bf57bc098d9c0e5f3cfa6acc2c353bc830fc7ae7201e13f3de54e4e584e5b1b5dfb4193818863cd36759b9c07d431b09f6ac74f6765827c4a2d47115541
- SSDEEP
  
  1536:dFuz4WM+ygiwnOlUgiLfzv3cNN9qlkl0DynlEzE8O:7YyzlJGzklck2DynlCX
Score

1^/10
behavioral15 behavioral16
- Target
  
  Ghosty Permanent Spoofer/freetype.dll
- Size
  
  675KB
- MD5
  
  5eb3264c300a0a0a45f22305cff49596
- SHA1
  
  06ef49a2d145dc98dbd5eea42b1de53b7039b5c4
- SHA256
  
  9aa4d1356beedaad8f8879b49b76d1ff120dec210a1c0135ede8b9337ad0505d
- SHA512
  
  a2735a950d3505a7c835e78ed245cbdbff3821d5c9c4ac24b933ee143eab9b95d55ab6cff3bba16229f372077d7cfe2aac9785149ab70e742ed177872cde6ba0
- SSDEEP
  
  12288:C2xWbECcYWsMWfzJ8JmkMJDX1CxZ4YPma2xtKYENdfEWmb9:C2xBfYWsZflQsXgxvPm/FZ
Score

1^/10
behavioral17 behavioral18
- Target
  
  Ghosty Permanent Spoofer/libpng16.dll
- Size
  
  197KB
- MD5
  
  ee63a5f831a47c40b38534b078742e53
- SHA1
  
  e8320fd97b77e717255ad3732d2c677de77405bd
- SHA256
  
  28f086ae4965dd262e000783a4fd8aebdce8eeeef8285db59984144e7a4c45d4
- SHA512
  
  7b051a6957723bf1413e6ccb29c688d10eb7f87553cdf5bc8d876ed3f3b6cd5e9bcbeabb151acb36e483587aafaf5ce43d80e2995153b3bcfc14ac9ef3e38726
- SSDEEP
  
  3072:9wpWtEvS0EUd2RI4/Y/GN8WYC8tYQ3bKOX+v0pl7TSrffmLM+w:9wAEvNTd2RID+87tJbN40/IXX
Score

1^/10
behavioral19 behavioral20
- Target
  
  Ghosty Permanent Spoofer/server/Certificates/generate-certs.sh
- Size
  
  726B
- MD5
  
  cfbabd8034b1b13e82dc7e9e7de3fd03
- SHA1
  
  8275a5a285b9248b984209ecae563bf92229c5d3
- SHA256
  
  a559dcd94b5dc389f518acd1f856e11e3146d1891a9026fb8691ff342836f447
- SHA512
  
  26213455dd4fb95c0bd67e81146c67bc91dde4894af5a4a9a290b9a0008f22e233a2f5aff04b0a16e2376f3eecf5943c7a8c36c5a690cd6d200b1af2a10291a1
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  generate-certs.sh
- Size
  
  726B
- MD5
  
  cfbabd8034b1b13e82dc7e9e7de3fd03
- SHA1
  
  8275a5a285b9248b984209ecae563bf92229c5d3
- SHA256
  
  a559dcd94b5dc389f518acd1f856e11e3146d1891a9026fb8691ff342836f447
- SHA512
  
  26213455dd4fb95c0bd67e81146c67bc91dde4894af5a4a9a290b9a0008f22e233a2f5aff04b0a16e2376f3eecf5943c7a8c36c5a690cd6d200b1af2a10291a1
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  1337/convert/generate-certs.sh
- Size
  
  726B
- MD5
  
  cfbabd8034b1b13e82dc7e9e7de3fd03
- SHA1
  
  8275a5a285b9248b984209ecae563bf92229c5d3
- SHA256
  
  a559dcd94b5dc389f518acd1f856e11e3146d1891a9026fb8691ff342836f447
- SHA512
  
  26213455dd4fb95c0bd67e81146c67bc91dde4894af5a4a9a290b9a0008f22e233a2f5aff04b0a16e2376f3eecf5943c7a8c36c5a690cd6d200b1af2a10291a1
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  Ghosty Permanent Spoofer/server/x64/Release/Emulator.exe
- Size
  
  596KB
- MD5
  
  8b24e99924113fa9bebde74ab2aeb29c
- SHA1
  
  9b66e30dcf9ac6ec3bd15547c2c43db686283ed2
- SHA256
  
  777e731543579910dc6d0dd5b15d71d46a50c401b1203cdd7cbacc79363ee5b8
- SHA512
  
  68b2ddf5cc52c302d1af3e792b48b421cde79f94a73f69f3c759e432be22a009422d2d84e832334e1169c30a1e6a88c714f69824d66474c692b56884eb4f4750
- SSDEEP
  
  6144:zZ6EcigBgNldCeqnMQO/bx2Fdglh78TlZ9u5rDcZxXcbeUyzntOhYUlPAF5NcRdL:sfBgNlweqn+lhcZA5cDXcbh40l
Score

1^/10
behavioral27 behavioral28
- Target
  
  Ghosty Permanent Spoofer/server/x64/Release/libcrypto-3-x64.dll
- Size
  
  4.6MB
- MD5
  
  2b29fefde1095bad70504c82d37f8323
- SHA1
  
  2e2cff1ab2b229cbc0f266bf51a2c08ce06f58e9
- SHA256
  
  5527ff18dd749687d886ef7f383463b6ce7bca66c773d6ff94f40190da853ebe
- SHA512
  
  c3d52300cad66daa405a4ca44d55708131f15e32a1948018aceae1e6345d56a7c8c130f09e2b035ec8442c4070a040f6f377aea44d9e714c54c673c0d68b7c6a
- SSDEEP
  
  49152:EZ18MKT1dSmj2zdfzg5BBa3dETE/9by4L38dsJpzWdJLjijzeZ6+yzJBeMzwPLIN:uuImBBc8RKjuozkueq1CPwDvt3uFFZC
Score

1^/10
behavioral29 behavioral30
- Target
  
  Ghosty Permanent Spoofer/server/x64/Release/libssl-3-x64.dll
- Size
  
  537KB
- MD5
  
  5ae31cfaf71fb03d07a2caa4f5f80ed0
- SHA1
  
  a9dec69c227ef1c6b3fb6c5296695f7f03fcd46d
- SHA256
  
  96dde73df4a2df72d5fc788e1ad99c6adf388cd42c2f874cf8d6a883a3654bf7
- SHA512
  
  8c571de5bf27e8ac83be213aa290128db95039dfeaa2fb80698e77ba0a2b3b6630b4aa08a3402585891923b162824b5227b28372a47c9a84de5f9fd0ba2b4f86
- SSDEEP
  
  6144:LFPdnNGPhGpJbSOnhB6giIY2Nrv+LUAxb7lW519ivM01sQi7E:plNEGpMOnX6giIn8JWN8M01sQi
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Obfuscated Files or Information: Command Obfuscation

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32