orcus | 3e29e55b700385d78279334c5831aa5553e007df0c3b1b78a20543b80714d250 | Triage

Sharing

General

Target

3e29e55b700385d78279334c5831aa5553e007df0c3b1b78a20543b80714d250
Size

839KB
Sample

250104-bek31sspgx
MD5

6c2c7289dcf4dcf70d81c993d72f26c4
SHA1

7687da2f87042f6f8ef5c79d8ed9beca1fe478e7
SHA256

3e29e55b700385d78279334c5831aa5553e007df0c3b1b78a20543b80714d250
SHA512

61195ac5e3da8f5ab807ae0ba698e96f65b8e879afa83b5b67786516d008f34505ff4fc8a3704103f61a287a597943fedab03b836463db222155a3348fdc63f6
SSDEEP

24576:TpS04YNEMuExDiU6E5R9s8xY/2l/dmtnIbt+rP:TL4auS+UjfU2TmdIbt+r

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

2.tcp.eu.ngrok.io

Mutex

05216c89fea5473198f9b92208d3b339

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/03/2025 21:46:16
plugins
AgEAAA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  3e29e55b700385d78279334c5831aa5553e007df0c3b1b78a20543b80714d250
- Size
  
  839KB
- MD5
  
  6c2c7289dcf4dcf70d81c993d72f26c4
- SHA1
  
  7687da2f87042f6f8ef5c79d8ed9beca1fe478e7
- SHA256
  
  3e29e55b700385d78279334c5831aa5553e007df0c3b1b78a20543b80714d250
- SHA512
  
  61195ac5e3da8f5ab807ae0ba698e96f65b8e879afa83b5b67786516d008f34505ff4fc8a3704103f61a287a597943fedab03b836463db222155a3348fdc63f6
- SSDEEP
  
  24576:TpS04YNEMuExDiU6E5R9s8xY/2l/dmtnIbt+rP:TL4auS+UjfU2TmdIbt+r
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

orcusdiscoveryratspywarestealer

behavioral2