General

  • Target

    0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754

  • Size

    839KB

  • Sample

    250127-bf48aatnhl

  • MD5

    f8fbd7b9f090423f8851529e647a64ef

  • SHA1

    177dc6e93a4808fa1fb7e1dcd9235ce4559dbc8b

  • SHA256

    0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754

  • SHA512

    f6b173d1952bf663188c80b8c7c05b4e854d708aa561a4e490cb33840295105c3871121196bec5ad66fdc421d6f4c77e3aaf55e33dda3136dacfac00d0239db9

  • SSDEEP

    24576:wFS04YNEMuExDiU6E5R9s8xY/2l/drtnIbt+r5:w34auS+UjfU2TrdIbt+r

Malware Config

Extracted

Family

orcus

C2

192.168.2.7

Mutex

131f2624515a483697ab2414836891bb

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/25/2025 18:29:37

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754

    • Size

      839KB

    • MD5

      f8fbd7b9f090423f8851529e647a64ef

    • SHA1

      177dc6e93a4808fa1fb7e1dcd9235ce4559dbc8b

    • SHA256

      0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754

    • SHA512

      f6b173d1952bf663188c80b8c7c05b4e854d708aa561a4e490cb33840295105c3871121196bec5ad66fdc421d6f4c77e3aaf55e33dda3136dacfac00d0239db9

    • SSDEEP

      24576:wFS04YNEMuExDiU6E5R9s8xY/2l/drtnIbt+r5:w34auS+UjfU2TrdIbt+r

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks