Overview

overview

10

Static

static

10

9eb8fe85dd...5d.exe

windows7-x64

10

9eb8fe85dd...5d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9eb8fe85ddbd493a9fcbef3334d8b2dad30f43fb4c5c5920eef8a8ff2ca2845d

  • Size

    1.4MB

  • Sample

    250219-bjkm2svpx5

  • MD5

    dd926588433da13d449e992412b2dd6b

  • SHA1

    5c959d0eb6ce0f815c1cf5bfba872e6dd08f19de

  • SHA256

    9eb8fe85ddbd493a9fcbef3334d8b2dad30f43fb4c5c5920eef8a8ff2ca2845d

  • SHA512

    351d80925cf934cb6673b767761cb6d4b5b4d5a4ac9066a428b59b4d5657ba69a406fd1d5e12981c7450c35f072ef05c9419b9cb1a76f238e31ef92fa0f16bbd

  • SSDEEP

    24576:DFpMS04YNEMuExDiU6E5R9s8xY/2l/d0J5dtsPxNGfNZIbt+rr8m3c:DFpk4auS+UjfU2Tg5XDnIbt+rQm3

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

192.168.10.8

Mutex

2909df20f41d462e9c071227f270d9c7

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    02/18/2025 19:42:27

  • plugins

    AgUFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGMAMwBhAGIAOABjADIANAA0ADkANAA4ADQANwAzADAAYgA0AGIAOAA3AGUAMABjADMAYgAzADAAZgA0ADIAYQABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDYANQBkADIANQBmADQAMwBkADUAYgA5ADQANAA3ADEAOQBmAGEAMAAxAGEANwBmAGEAMwAxAGQAOQAwAGMAMAACAAAEBA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      9eb8fe85ddbd493a9fcbef3334d8b2dad30f43fb4c5c5920eef8a8ff2ca2845d

    • Size

      1.4MB

    • MD5

      dd926588433da13d449e992412b2dd6b

    • SHA1

      5c959d0eb6ce0f815c1cf5bfba872e6dd08f19de

    • SHA256

      9eb8fe85ddbd493a9fcbef3334d8b2dad30f43fb4c5c5920eef8a8ff2ca2845d

    • SHA512

      351d80925cf934cb6673b767761cb6d4b5b4d5a4ac9066a428b59b4d5657ba69a406fd1d5e12981c7450c35f072ef05c9419b9cb1a76f238e31ef92fa0f16bbd

    • SSDEEP

      24576:DFpMS04YNEMuExDiU6E5R9s8xY/2l/d0J5dtsPxNGfNZIbt+rr8m3c:DFpk4auS+UjfU2Tg5XDnIbt+rQm3

    Score
    10/10
    orcusdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks