orcus

General

Target

resembleC2.exe
Size

763KB
Sample

250112-d2hyaawqbm
MD5

f70fb0eacdba5672bd67ff9ad29e425b
SHA1

35c7ad26473afb12c8b46dfb51f3e0d73b92a7eb
SHA256

325ec7369a18af43c95815bacf830f5bcd1093436c25f67685226fe0d4812280
SHA512

e93012796de946c4b009d9c68a539ea010d88952c11ddd0fc05d3d4ebe1657f16a7f75269e2c6075c12564f40752c7f4aec0c64583ffb46d06ec69431e5f6ff5
SSDEEP

12288:wjB1GbyBRc8nAVCCpViLkSdIi/NvFFuHtHylX5mmYKlzQUG1R9qRst2hmKyL/mVD:wjB1myBRccwf/SdNFvFFu1yh5zlzY1RS

Score

10^/10

Malware Config

Extracted

Family

orcus

C2

9across-entitled.gl.at.ply.gg

Mutex

cac3aa9158e541b28ce1c4890a52661d

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/12/2025 04:15:11
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNwBkAGUAYQAzAGQAZgBhAGUAZQBjAGEANABjADcAYQA5ADcAZABiAGYAZQBlADUAMQAyADIAMgA1ADYAMgA3AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGUANABhADUAZgAzADIANwAzADkANQBjADQAOQA5ADUAYgA3ADgAYQA1ADYAYwBhAGYAMwAzAGIANgAzADQANgABAAAEBA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw

Targets

- Target
  
  resembleC2.exe
- Size
  
  763KB
- MD5
  
  f70fb0eacdba5672bd67ff9ad29e425b
- SHA1
  
  35c7ad26473afb12c8b46dfb51f3e0d73b92a7eb
- SHA256
  
  325ec7369a18af43c95815bacf830f5bcd1093436c25f67685226fe0d4812280
- SHA512
  
  e93012796de946c4b009d9c68a539ea010d88952c11ddd0fc05d3d4ebe1657f16a7f75269e2c6075c12564f40752c7f4aec0c64583ffb46d06ec69431e5f6ff5
- SSDEEP
  
  12288:wjB1GbyBRc8nAVCCpViLkSdIi/NvFFuHtHylX5mmYKlzQUG1R9qRst2hmKyL/mVD:wjB1myBRccwf/SdNFvFFu1yh5zlzY1RS
Score

10^/10

orcus umbral discovery execution rat spyware stealer
- Detect Umbral payload
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2