orcus

Sharing

Copy URL

Twitter E-mail

General

Target

Ghosty Permanent Spoofer.rar
Size

33.5MB
Sample

250107-2e9z9atnbm
MD5

44a687ff5f4954f86d0a911cec843437
SHA1

c0379b53e62c3aa490435ebec901442cf637d0e7
SHA256

873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b
SHA512

9b352b9ba5c0daec9dde3d73d1c13188e19af6590b15f66fcde0337dd1e7a4b8f14913239b1706c057cd0aad91c7b67c8396fb7d28012fb28b13e21585a703a8
SSDEEP

786432:lUyKIZaUx0zxV3l24EosGt9DVfXfIV3iqpGjRSoBFwTWT:lzlN07V243/9RIpiCG9HwTK

Score

10^/10

Malware Config

Extracted

Family

orcus

another-contains.gl.at.ply.gg

Mutex

a49af69032c94d6fa7c0d2639d32f038

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
12/24/2024 02:03:43
plugins
AgUFyOzBvwKV1wLetwKoxrcNilV/bBUKRwBhAG0AZQByACAAVgBpAGUAdwAHAzEALgAyAEEgYgA2ADkAZgA0ADUAZQBiADYANgAxADYANAA2ADAAZgA5AGUAMQAwADIAMgBkADcANwA3ADMAMABmADAANwAzAAIAAAACAg==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  Ghosty Permanent Spoofer.rar
- Size
  
  33.5MB
- MD5
  
  44a687ff5f4954f86d0a911cec843437
- SHA1
  
  c0379b53e62c3aa490435ebec901442cf637d0e7
- SHA256
  
  873b3f4e9bcdf5c69e3928012df2b4d5fb94cb964f89ba842bdeb575178e031b
- SHA512
  
  9b352b9ba5c0daec9dde3d73d1c13188e19af6590b15f66fcde0337dd1e7a4b8f14913239b1706c057cd0aad91c7b67c8396fb7d28012fb28b13e21585a703a8
- SSDEEP
  
  786432:lUyKIZaUx0zxV3l24EosGt9DVfXfIV3iqpGjRSoBFwTWT:lzlN07V243/9RIpiCG9HwTK
Score

10^/10

orcus defense_evasion discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2
- Target
  
  Ghosty Permanent Spoofer/GHOSTYFN.exe
- Size
  
  6.1MB
- MD5
  
  73c7cc676ab19d426f2745ef261d6349
- SHA1
  
  f217a78eb2beddcbf5bb00c229a96f9ffaa98a0d
- SHA256
  
  4a513270a4d7e85bdc8dfe9adea3b190cfc055e562060c2be9389336333864a0
- SHA512
  
  40f69adef5b8de42283ff0539cf0f0259ed9d23baa4e87c63e594fe12ca7f35e73dc3a0d6a66dd13a584d0e1569940026bc49d41f95a1f23c0c3fd810613ad36
- SSDEEP
  
  98304:BwalpQAdxjrQaMQZZV4g0rvnkVKg9JmcDiCwGDz+Uog9XhhFyoL:JjTrusV4fvuH938Sn9X9t
Score

10^/10

orcus defense_evasion discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral3 behavioral4
- Target
  
  Ghosty Permanent Spoofer/KA-LicenseKey_x86_x64_v1.1.exe
- Size
  
  5.3MB
- MD5
  
  efab4965da18f638ba67ece790fded62
- SHA1
  
  27687605909f5a885d78268a5fe0112723049581
- SHA256
  
  93679af51f96edfa02cabea6801aba4484a90449745e2aa78afbd3e13fc1e070
- SHA512
  
  66e86dca1427245f6ea454287012ece56d44315310b531dd625c2336b26ba4bef2e9f0c8c70649f7e8ec3c3181ed5080c0e72833ea9b43bd742bdeb08b2691dd
- SSDEEP
  
  98304:t287e9Cg7HpxtbymElTE89gcTaqNTP3f8aPWIKz86PB3/dnDc5Fy/OIkvU:887ejpbyVlbD/evz8cxaFePks
Score

1^/10
behavioral5 behavioral6
- Target
  
  Ghosty Permanent Spoofer/KA-MemIntegrity_x86_x64_v1.1.exe
- Size
  
  351KB
- MD5
  
  877a111203c6c66509c6a946822050aa
- SHA1
  
  bb88e7134729d0fa32335a573881f0bc73c298fe
- SHA256
  
  b0080c00e9fbe13df87806bd20826eb9735a8b67f3f6aae58b3b370ed381003c
- SHA512
  
  2723aaa1c12e7c64617da1a543c22f7a92a7df42cd825b78585711aaa650b330bfe75716fd5924e1b5b3d17ece2e6c9c2d69641ae1cc2b5e4889eff8cbef97a7
- SSDEEP
  
  3072:v+iP3g1kBnFMYuOiFUlTRqg2VeHeKj6zJW9HTfYCf0ctQ46YLQhruyF0gXgv:v+tkFMYViFUlTRzye8NWpBYRwv
Score

1^/10
behavioral7 behavioral8
- Target
  
  Ghosty Permanent Spoofer/SafeGuard-Library.dll
- Size
  
  12.5MB
- MD5
  
  0ba40688b6a23948b2bd929dd2777a59
- SHA1
  
  bc109471bb84c7dc05ee6b1b63eae36c0e6ab209
- SHA256
  
  4e3eca4adbe0c4fede28228239dd93bb866ecd0415569ede6464d796e8d1a3a8
- SHA512
  
  104b2e48779d9e1f534ceb546f911e535eda1b2645f494313df661aceca41c134d3a10b3e97a00ddf4a40556421369fff3872e466357743bc21ea19e0b0c2156
- SSDEEP
  
  196608:SOHt8K/1aCIGzofI1PRcndumYBy9HwMmoiODwuNaENvHkSGC/jcZ1yRTs6:1Hp/ggMIpOnXu2Y0wugOvHaZZUBB
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  Ghosty Permanent Spoofer/VMProtectSDK64.dll
- Size
  
  116KB
- MD5
  
  ba5cf8079fa68d90a2e6497d3c5711c1
- SHA1
  
  66b3c641ccd9a04ebf35ea868548bf58de295a11
- SHA256
  
  ae22254e2b5c5557f35a170696d53e847018221dcd4cc70c153c36ecdd891f81
- SHA512
  
  8537604678bed001aca037d94c80d8d1dd3da3d5bf806fa687f44a093cb07a316dcef084b572b4fd9b3cd2d93fedc7db66a817b27f395a772f3b844509c30156
- SSDEEP
  
  3072:cmcqYHq7Aiytzg2ScpvgJcG5sqYX6UJHslBS:l0Hq7AiyegZgJZSXhMH
Score

1^/10
behavioral11 behavioral12
- Target
  
  Ghosty Permanent Spoofer/brotlicommon.dll
- Size
  
  134KB
- MD5
  
  f2e401ec1c85ba69b28cca6e814afe3c
- SHA1
  
  9d7d78e98fae9c22a2ff4a938672c3fe37589738
- SHA256
  
  b9b868f703ccb61ec15d14dcc738c4a4eebcc59c2f827090e7ced2f91c9debd7
- SHA512
  
  605f0fa4d301519b07bb542ec215e9fa1d7426129c1b8a8de56e5418c3e64867d1f54ece273ff070b8ca4c5bf39dbdebbdddd83d6be6e701bb160b95b4597be1
- SSDEEP
  
  3072:Wsu4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBbd:Wsu4AhdNorGvHdbi09GJ1d
Score

1^/10
behavioral13 behavioral14
- Target
  
  Ghosty Permanent Spoofer/brotlidec.dll
- Size
  
  49KB
- MD5
  
  b388b7f74802614467a17854b4bf75ff
- SHA1
  
  0ec7a95503e27ee4735e0c4a7051125ece957ab1
- SHA256
  
  da4996a4d6b9e18c3ebce85b5fbd5666950e69e5d0e31afa2eef550c2671bd93
- SHA512
  
  7c45a583cacf798b36fc6241397536ecb2eb9a846531fa8906c5c93e0680151ab9cf448bfb5a229c38fac8d4b83cdb044f05b95bada5a047e4acbcbc64c4d0d8
- SSDEEP
  
  768:5GsldGuGMH5uA7IsAkEw6qDbYpz+piuazQxARbYs30yMYRk:5dXn5h8sFEw6qbYF+A1nXRk
Score

1^/10
behavioral15 behavioral16
- Target
  
  Ghosty Permanent Spoofer/bz2.dll
- Size
  
  74KB
- MD5
  
  d31259e39bc2690a34448601e0bf105f
- SHA1
  
  e5339404e51f56cc0349b250adb7e61dd4b22476
- SHA256
  
  c94f3302b33c45a35ba83448c111dd0138a49d6355c943af0ea40bc8014a991b
- SHA512
  
  79261bf57bc098d9c0e5f3cfa6acc2c353bc830fc7ae7201e13f3de54e4e584e5b1b5dfb4193818863cd36759b9c07d431b09f6ac74f6765827c4a2d47115541
- SSDEEP
  
  1536:dFuz4WM+ygiwnOlUgiLfzv3cNN9qlkl0DynlEzE8O:7YyzlJGzklck2DynlCX
Score

1^/10
behavioral17 behavioral18
- Target
  
  Ghosty Permanent Spoofer/freetype.dll
- Size
  
  675KB
- MD5
  
  5eb3264c300a0a0a45f22305cff49596
- SHA1
  
  06ef49a2d145dc98dbd5eea42b1de53b7039b5c4
- SHA256
  
  9aa4d1356beedaad8f8879b49b76d1ff120dec210a1c0135ede8b9337ad0505d
- SHA512
  
  a2735a950d3505a7c835e78ed245cbdbff3821d5c9c4ac24b933ee143eab9b95d55ab6cff3bba16229f372077d7cfe2aac9785149ab70e742ed177872cde6ba0
- SSDEEP
  
  12288:C2xWbECcYWsMWfzJ8JmkMJDX1CxZ4YPma2xtKYENdfEWmb9:C2xBfYWsZflQsXgxvPm/FZ
Score

1^/10
behavioral19 behavioral20
- Target
  
  Ghosty Permanent Spoofer/imgui.ini
- Size
  
  96B
- MD5
  
  4e6c82ea70e35ffccbc1f6e1e407cf69
- SHA1
  
  7f824787db54b8328a0d85365e001fb3f3a3f9a7
- SHA256
  
  7feae2d266f55f0c5fe1104b96ae043ef79aaeac7ab7fa27225afd44b0a9c66f
- SHA512
  
  5223dbf0dfb5dde2ff2507d2128cff8363c257c31e673ad63b8a910a915dabf8166412df21322124619a43796b1285308103df0a5dd65acd8812272ea0fbedd5
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Ghosty Permanent Spoofer/libpng16.dll
- Size
  
  197KB
- MD5
  
  ee63a5f831a47c40b38534b078742e53
- SHA1
  
  e8320fd97b77e717255ad3732d2c677de77405bd
- SHA256
  
  28f086ae4965dd262e000783a4fd8aebdce8eeeef8285db59984144e7a4c45d4
- SHA512
  
  7b051a6957723bf1413e6ccb29c688d10eb7f87553cdf5bc8d876ed3f3b6cd5e9bcbeabb151acb36e483587aafaf5ce43d80e2995153b3bcfc14ac9ef3e38726
- SSDEEP
  
  3072:9wpWtEvS0EUd2RI4/Y/GN8WYC8tYQ3bKOX+v0pl7TSrffmLM+w:9wAEvNTd2RID+87tJbN40/IXX
Score

1^/10
behavioral23 behavioral24
- Target
  
  Ghosty Permanent Spoofer/server/Certificates/generate-certs.sh
- Size
  
  726B
- MD5
  
  cfbabd8034b1b13e82dc7e9e7de3fd03
- SHA1
  
  8275a5a285b9248b984209ecae563bf92229c5d3
- SHA256
  
  a559dcd94b5dc389f518acd1f856e11e3146d1891a9026fb8691ff342836f447
- SHA512
  
  26213455dd4fb95c0bd67e81146c67bc91dde4894af5a4a9a290b9a0008f22e233a2f5aff04b0a16e2376f3eecf5943c7a8c36c5a690cd6d200b1af2a10291a1
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  Ghosty Permanent Spoofer/server/EmuAuth.sln
- Size
  
  887B
- MD5
  
  c4f9e979f24c7796ad2735f599ce903a
- SHA1
  
  87d2f4231f4e669085b5a73d177abcef08de6a4b
- SHA256
  
  0ef42ab9f600f3c0dcacf98c24550b509527d31234762654ad33ba1a8556b066
- SHA512
  
  0563668eef5bd23bd1f03acadf3314ca82ebc52d783a104dbe768a6ebfc2e20affb5907dc79620387e1ac6eea6fb130a2427e0b1272355e0d6706f341f102610
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  Ghosty Permanent Spoofer/server/EmuAuth/EmuAuth.vcxproj
- Size
  
  7KB
- MD5
  
  72dd431cf325ada32e9560ddb65a659e
- SHA1
  
  12e726f8f3c9721fcc18946c0908b17bf1f18997
- SHA256
  
  503307a798fd4b15280f619f66117b7d99887f9c159b1d90e540bdce6c5fe3d9
- SHA512
  
  83e35b1fec8ef8445f4c652becf207b3cff445b87c5b32761442a3d176c5e9de7e618626ef77e9b34cbf4b5cd8dfd1e23bff6e8cdbe43aaec7e9e90f7a6cfd5d
- SSDEEP
  
  96:Z0/zcpU1fNOw7FO7bw7aOL2YyaLbyaLMyaL6yaLDmzA7/ePPcrAf/eWPcKfA7/ep:e/zcmls4hN/YPce/JPct/gPcL/xPcn
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Ghosty Permanent Spoofer/server/EmuAuth/EmuAuth.vcxproj.filters
- Size
  
  1KB
- MD5
  
  275f48c170e75221487400c04dab0bd7
- SHA1
  
  a8a2b2cec7e36b3935335a638821e228cf00f4fe
- SHA256
  
  8dbc9ee75e135a99602172c9043775b31153fd52d061205bc7f0e72a24349374
- SHA512
  
  6dce8a9a6d3ef6235c2e74d122d0debd15e6e0ccb7fc1c3a2752616fbb51acaf9635163c00373bc9ec6b4c380db5dc268b69692901f5c9609aa98a4d31921075
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Executes dropped EXE

Loads dropped DLL

Obfuscated Files or Information: Command Obfuscation

Orcus

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Obfuscated Files or Information: Command Obfuscation

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32