orcus | f56dc459e9d914a4291b02ee04ac3837d088bb3c08901e00a63802be90167c41 | Triage

Sharing

General

Target

smd.exe
Size

839KB
Sample

250104-atnl1s1pfw
MD5

3144e31b05fa12d135e40cb1ee92b155
SHA1

4c7c273b547ec8d42e439c687285d9060c7d3065
SHA256

f56dc459e9d914a4291b02ee04ac3837d088bb3c08901e00a63802be90167c41
SHA512

0ff81376b6db8ca1ada7b624bbb2bc622c817dabbf7bad1d8c6aba40d663dab1f2dd3a0b621650d020f62d6ca5f044024be220eac5e40990918ef6890039e438
SSDEEP

24576:1xdS04YNEMuExDiU6E5R9s8xY/2l/d2tnIbt+rT:bP4auS+UjfU2T2dIbt+r

Score

10^/10

orcus discovery evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

C2

3shop-extreme.gl.at.ply.gg

Mutex

51d6e45eabea4bbf89f8114ec5d59be0

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/03/2025 20:57:17
plugins
AgEAAA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  smd.exe
- Size
  
  839KB
- MD5
  
  3144e31b05fa12d135e40cb1ee92b155
- SHA1
  
  4c7c273b547ec8d42e439c687285d9060c7d3065
- SHA256
  
  f56dc459e9d914a4291b02ee04ac3837d088bb3c08901e00a63802be90167c41
- SHA512
  
  0ff81376b6db8ca1ada7b624bbb2bc622c817dabbf7bad1d8c6aba40d663dab1f2dd3a0b621650d020f62d6ca5f044024be220eac5e40990918ef6890039e438
- SSDEEP
  
  24576:1xdS04YNEMuExDiU6E5R9s8xY/2l/d2tnIbt+rT:bP4auS+UjfU2T2dIbt+r
Score

10^/10

orcus discovery evasion persistence rat spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoveryevasionpersistenceratspywarestealertrojan

behavioral2