orcus | 02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748

General

Target

02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe
Size

1.2MB
MD5

284faf4d035afff98a534f6d8fe4ddab
SHA1

4eb6fcd884176deaea3fad9eabc2313cc1beb547
SHA256

02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748
SHA512

f5ea74b26c7042a9ef4067afcb3699942df1af87da745455dc84284819d7b2f2a0458a04caf1635ddc840efdd8161937c2958064bb498c2b76d0d16ab4af8790
SSDEEP

24576:p9qPS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfSdIbt+rx:p9ql4auS+UjfU2T/5XDaIbt+r

Score

10^/10

orcus csgoskinhack2 discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

CSGOSkinHack2

C2

10.0.2.15

Mutex

af9dc49d3c914466b9a3fb43bff5d514

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/18/2017 15:09:59
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgYwBiADcAZgBhAGUAOQAwAGQAMQA0ADUANABkADMANQBiADIAMgA3ADIAYwA5ADgAMwA1AGUANAAzADYAMgAyAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDQANwA3ADEAZgA5AGUAMAAyADAAZAAyADQAZQAxAGIAYgAzAGUAMQA1AGQANwAxADUANQBiADMANAAzADEAMwABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIGUAZAAwADAAYwAwADIANgA1ADcAMgBiADQAMABjADMAYQA4AGMAMABiADcAYQAzAGMAMgBhAGQANQBiAGQANgACAAYG
reconnect_delay
10000
registry_hidden_autostart
false
set_admin_flag
false
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Executes dropped EXE 1 IoCs

pid	Process
2156	AudioDriver.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe
2156	AudioDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe
2156	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	AudioDriver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	AudioDriver.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2156	AudioDriver.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2156	2444	02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe	29
PID 2444 wrote to memory of 2156	2444	02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe	29
PID 2444 wrote to memory of 2156	2444	02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe	29
PID 2444 wrote to memory of 2156	2444	02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe	29

C:\Users\Admin\AppData\Local\Temp\02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe
"C:\Users\Admin\AppData\Local\Temp\02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
1.2MB

MD5
284faf4d035afff98a534f6d8fe4ddab

SHA1
4eb6fcd884176deaea3fad9eabc2313cc1beb547

SHA256
02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748

SHA512
f5ea74b26c7042a9ef4067afcb3699942df1af87da745455dc84284819d7b2f2a0458a04caf1635ddc840efdd8161937c2958064bb498c2b76d0d16ab4af8790

Download Submit
\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
memory/2156-30-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2156-29-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-24-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2156-20-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-18-0x0000000001280000-0x00000000013B4000-memory.dmp

Filesize
1.2MB

Download
memory/2156-17-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2444-4-0x0000000002090000-0x00000000020DC000-memory.dmp

Filesize
304KB

Download
memory/2444-10-0x00000000021F0000-0x000000000223E000-memory.dmp

Filesize
312KB

Download
memory/2444-7-0x00000000055E0000-0x0000000005698000-memory.dmp

Filesize
736KB

Download
memory/2444-19-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2444-6-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/2444-5-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2444-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2444-3-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2444-2-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/2444-1-0x0000000000880000-0x00000000009B4000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing