orcus

General

Target

FortniteFreeCheat.exe
Size

1.4MB
Sample

250222-tmlzdssray
MD5

de9a98e1783f30b91e677c9c1659d8ee
SHA1

2323a1d75c7a5838de500e8b115cff28bdf43aac
SHA256

cb3933c3e0cf9676ed65de6b85d3714a52647cf967b964bd66493a099c2dc14b
SHA512

3bbd511d672b8983fbf0fae8fb068ba8b98a15b8e555db1f15f53380848785c8d8810b30a35e42c792ddbf7faf25594d3d4cb57df5fc4323d0273d097e472587
SSDEEP

24576:u9qPS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfn24Ibt+rK9/V2Udr7HlClE:u9ql4auS+UjfU2T/5XD+4Ibt+rK/V2Uf

Score

10^/10

Malware Config

Extracted

Family

orcus

C2

127.0.0.1

Mutex

7effa10ca3c9472697b472ca14e6fdab

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
02/22/2003 16:02:33
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgYwA1ADgAMQBiAGQAZgBkAGQANgAwADQANAA1AGMAYQA5ADAAMAAzAGQANAAxADgANQAzAGYAMgA4ADcAYgA5AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGYAYgAxADQAYgBiADMAOQA5AGYANAAzADQANgBkAGMAYgAyADUAOQAzADcAZAAyADgANQA1ADIANgBmADEAZQABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDQAMwBlAGQANQAzADcAMwA0AGYAOABiADQAMAAzADgAOAA2AGEANwBkADgAZgA1AGMAYwA5AGIAOAA2AGYAMQACAAYG
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  FortniteFreeCheat.exe
- Size
  
  1.4MB
- MD5
  
  de9a98e1783f30b91e677c9c1659d8ee
- SHA1
  
  2323a1d75c7a5838de500e8b115cff28bdf43aac
- SHA256
  
  cb3933c3e0cf9676ed65de6b85d3714a52647cf967b964bd66493a099c2dc14b
- SHA512
  
  3bbd511d672b8983fbf0fae8fb068ba8b98a15b8e555db1f15f53380848785c8d8810b30a35e42c792ddbf7faf25594d3d4cb57df5fc4323d0273d097e472587
- SSDEEP
  
  24576:u9qPS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfn24Ibt+rK9/V2Udr7HlClE:u9ql4auS+UjfU2T/5XD+4Ibt+rK/V2Uf
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2