Malware Analysis Report

2025-03-15 06:40

Sample ID 250109-bzkyrasmbz
Target 026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0
SHA256 026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0
Tags
rat free netflix crack orcus discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0

Threat Level: Known bad

The file 026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0 was found to be: Known bad.

Malicious Activity Summary

rat free netflix crack orcus discovery spyware stealer

Orcus

Orcus family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-09 01:34

Signatures

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-09 01:34

Reported

2025-01-09 01:37

Platform

win7-20240903-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe

"C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp

Files

memory/2544-0-0x0000000074361000-0x0000000074362000-memory.dmp

memory/2544-1-0x0000000074360000-0x000000007490B000-memory.dmp

memory/2544-2-0x0000000074360000-0x000000007490B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 7a12a0cad575f79843b9a4f28ca7a441
SHA1 dfd58130b66ae3ddfca91154c751a4c42543488a
SHA256 026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0
SHA512 c888ba6ed2937d6da379520f30293a140257bf581add64e8932bf2385344afb721a79d588f67e980029ce931f7401542859fce1a6959bda9138476a9d0cbf726

memory/2544-11-0x0000000074360000-0x000000007490B000-memory.dmp

memory/1740-14-0x0000000074360000-0x000000007490B000-memory.dmp

memory/1740-13-0x0000000074360000-0x000000007490B000-memory.dmp

memory/1740-12-0x0000000074360000-0x000000007490B000-memory.dmp

memory/1740-16-0x0000000074360000-0x000000007490B000-memory.dmp

\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

MD5 d8aec01ff14e3e7ad43a4b71e30482e4
SHA1 e3015f56f17d845ec7eef11d41bbbc28cc16d096
SHA256 da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e
SHA512 f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

memory/1740-23-0x0000000074360000-0x000000007490B000-memory.dmp

memory/1740-24-0x0000000060900000-0x0000000060992000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-09 01:34

Reported

2025-01-09 01:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe

"C:\Users\Admin\AppData\Local\Temp\026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 213.182.126.56:10134 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 213.182.126.56:10134 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 213.182.126.56:10134 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp
DE 213.182.126.56:10134 tcp

Files

memory/2728-0-0x0000000075102000-0x0000000075103000-memory.dmp

memory/2728-1-0x0000000075100000-0x00000000756B1000-memory.dmp

memory/2728-2-0x0000000075100000-0x00000000756B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 7a12a0cad575f79843b9a4f28ca7a441
SHA1 dfd58130b66ae3ddfca91154c751a4c42543488a
SHA256 026bbcce930320931163d384cc3621ca926610ff2a956e1f74cf109e79874bf0
SHA512 c888ba6ed2937d6da379520f30293a140257bf581add64e8932bf2385344afb721a79d588f67e980029ce931f7401542859fce1a6959bda9138476a9d0cbf726

memory/2728-19-0x0000000075100000-0x00000000756B1000-memory.dmp

memory/2280-20-0x0000000075100000-0x00000000756B1000-memory.dmp

memory/2280-21-0x0000000075100000-0x00000000756B1000-memory.dmp

memory/2280-18-0x0000000075100000-0x00000000756B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

MD5 d8aec01ff14e3e7ad43a4b71e30482e4
SHA1 e3015f56f17d845ec7eef11d41bbbc28cc16d096
SHA256 da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e
SHA512 f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

memory/2280-30-0x0000000075100000-0x00000000756B1000-memory.dmp

memory/2280-31-0x0000000075100000-0x00000000756B1000-memory.dmp

memory/2280-32-0x0000000060900000-0x0000000060992000-memory.dmp