orcus

General

Target

02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748
Size

1.2MB
Sample

241221-bn8wfayrdm
MD5

284faf4d035afff98a534f6d8fe4ddab
SHA1

4eb6fcd884176deaea3fad9eabc2313cc1beb547
SHA256

02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748
SHA512

f5ea74b26c7042a9ef4067afcb3699942df1af87da745455dc84284819d7b2f2a0458a04caf1635ddc840efdd8161937c2958064bb498c2b76d0d16ab4af8790
SSDEEP

24576:p9qPS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfSdIbt+rx:p9ql4auS+UjfU2T/5XDaIbt+r

Score

10^/10

Malware Config

Extracted

Family

orcus

Botnet

CSGOSkinHack2

C2

10.0.2.15

Mutex

af9dc49d3c914466b9a3fb43bff5d514

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/18/2017 15:09:59
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgYwBiADcAZgBhAGUAOQAwAGQAMQA0ADUANABkADMANQBiADIAMgA3ADIAYwA5ADgAMwA1AGUANAAzADYAMgAyAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDQANwA3ADEAZgA5AGUAMAAyADAAZAAyADQAZQAxAGIAYgAzAGUAMQA1AGQANwAxADUANQBiADMANAAzADEAMwABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIGUAZAAwADAAYwAwADIANgA1ADcAMgBiADQAMABjADMAYQA4AGMAMABiADcAYQAzAGMAMgBhAGQANQBiAGQANgACAAYG
reconnect_delay
10000
registry_hidden_autostart
false
set_admin_flag
false
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748
- Size
  
  1.2MB
- MD5
  
  284faf4d035afff98a534f6d8fe4ddab
- SHA1
  
  4eb6fcd884176deaea3fad9eabc2313cc1beb547
- SHA256
  
  02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748
- SHA512
  
  f5ea74b26c7042a9ef4067afcb3699942df1af87da745455dc84284819d7b2f2a0458a04caf1635ddc840efdd8161937c2958064bb498c2b76d0d16ab4af8790
- SSDEEP
  
  24576:p9qPS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfSdIbt+rx:p9ql4auS+UjfU2T/5XDaIbt+r
Score

10^/10

orcus csgoskinhack2 discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Orcus family
  orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2