Overview

overview

10

Static

static

10

MoonHubLauncher.exe

windows7-x64

10

MoonHubLauncher.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    882s
  • max time network
    893s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2025 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MoonHubLauncher.exe

  • Size

    905KB

  • MD5

    741337449426e923274848296676e672

  • SHA1

    e382a890ff9c0af6235c2c4b4af160eaad9d7141

  • SHA256

    9950cca92e19b3b7d6a9fd60fa744466f947e44ef4e8133a18a7c1d1b664d93d

  • SHA512

    7e3e88652c6d088954fdcdf5407e7b9c5bee9307f9aa72fd830955e9e86397f1d4fe032bef23648a16c2f4e42e601983584c9cef96c703e1cf042ca9099ccfc5

  • SSDEEP

    24576:HxdS04YNEMuExDiU6E5R9s8xY/2l/d2tnIbt+r/:RP4auS+UjfU2T2dIbt+r

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

3shop-extreme.gl.at.ply.gg

Mutex

cc6e39004c7942deb2f07beb81bc24f5

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/07/2022 15:58:23

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MoonHubLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\MoonHubLauncher.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\Ez.exe
        "C:\Users\Admin\AppData\Local\Temp\Ez.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\SysWOW64\WindowsInput.exe
          "C:\Windows\SysWOW64\WindowsInput.exe" --install
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabBF7A.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    Filesize

    905KB

    MD5

    741337449426e923274848296676e672

    SHA1

    e382a890ff9c0af6235c2c4b4af160eaad9d7141

    SHA256

    9950cca92e19b3b7d6a9fd60fa744466f947e44ef4e8133a18a7c1d1b664d93d

    SHA512

    7e3e88652c6d088954fdcdf5407e7b9c5bee9307f9aa72fd830955e9e86397f1d4fe032bef23648a16c2f4e42e601983584c9cef96c703e1cf042ca9099ccfc5

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.InstallLog
    Filesize

    224B

    MD5

    e469dda91ae810a1f94c96060f3f8a65

    SHA1

    0b4b3b0f6f937016b1e045ce5313ee2a65a38630

    SHA256

    d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

    SHA512

    2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.InstallLog
    Filesize

    597B

    MD5

    c2291863df7c2d3038ce3c22fa276506

    SHA1

    7b7d2bc07a6c35523807342c747c9b6a19f3184e

    SHA256

    14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

    SHA512

    00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Ez.exe
    Filesize

    839KB

    MD5

    fed8f0963716c740101f2d947f9da6fc

    SHA1

    fb49b6ab30b340fa1a7aabd217a258f41ef3f31c

    SHA256

    7bb971345070013e8a8b7c14790871fec79a269af9004438d02638219bcb2153

    SHA512

    adf230c1e37d396d073d433f6283915a95eafba3c43b52691e307b70a3ab1efbfac75d96be1224f5250321999a788744998e1fb49d3ad8347c5aadc4417dfd78

    Download Submit

  • \Users\Admin\AppData\Local\Temp\opus.dll
    Filesize

    332KB

    MD5

    1fc04b8bb4896745163df806695ee193

    SHA1

    39174ce2fca9a3e86bb7a5686037bc42f2572de1

    SHA256

    3f2b2fd440fdd84288dadfc63e37a4bc7ea0aae26889ab0d4a5ef6148f44ce14

    SHA512

    3ff18bdd364f27e54ffbf2d1af53e3500ec57e7e8fa14185f7fb1ef6639d69ac6253543b9e2155ade45ca5bcd567e94334f1ee7ad0a7ff28194168dc49883261

    Download Submit

  • \Windows\SysWOW64\WindowsInput.exe
    Filesize

    21KB

    MD5

    e854a4636afc652b320e12e50ba4080e

    SHA1

    8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

    SHA256

    94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

    SHA512

    30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

    Download Submit

  • memory/1664-1-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1664-2-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1664-0-0x0000000074661000-0x0000000074662000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-13-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2464-15-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2464-35-0x0000000004A60000-0x0000000004A62000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2464-34-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2464-33-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2464-32-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2464-12-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2464-14-0x0000000074660000-0x0000000074C0B000-memory.dmp

    Filesize

    5.7MB

    Download