Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

yef.exe

windows7-x64

6

yef.exe

windows10-2004-x64

10

Resubmissions

13/11/2024, 08:48 UTC

241113-kqly5ayfmm 10

13/11/2024, 08:46 UTC

241113-kpsqaa1rfr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    yef.exe.zip

  • Size

    1.2MB

  • Sample

    241113-kpsqaa1rfr

  • MD5

    3d403c4b277e6a66a486c576cb1460d8

  • SHA1

    be7429f0377caa3e16de7a00c1b4f4fec8445010

  • SHA256

    f9ceb47834651e67fc99d1ca578bc6a72373ec281ca9e5b678e86a879b0da4a4

  • SHA512

    31928aa26818ecd263395a578b3da4e3de7ffd70d96ac2f4ae910633098330fc9195ef48a8b6a0ed41812cbdf40190e259c9a6f38c7e8c69d208f33eed62ce88

  • SSDEEP

    24576:b6jwjKGKR4erUDxDZqckoz0IiaCM5wEED6FMpAUrwkXgK:b6aQR7wVqcmIpr4D6FtsP

Score
10/10
orcuscutiesdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

cuties

C2

5virginia-evil.gl.at.ply.gg

Mutex

c75fa2addeaf42abb9797c0d693eca2b

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    10/27/2024 02:14:09

  • plugins

    AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNwA2ADkAMwA2AGQAMQAzAGMAYQAwAGMANAA5ADQANgA5AGIAMgBkAGUAOAA5ADQAMAAxADkANABiAGEAMAAzAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDAAYQA4ADAANgA5AGMAZAA2AGUAMwA1ADQANAA1ADQAYQBkADMAOAAwAGQANABjAGIAYQA4ADYANQA2ADAANwABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDQAZAA0ADEAYQAwADEAMgBkADgAMwBlADQAOABmADQAYQAxADEAYQBiAGYAYwA3ADMAMQBkADIAOQAwAGEAYwACAAYG

  • reconnect_delay

    10000

  • registry_autostart_keyname

    cmd

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain
1
CrackedByWardow

Targets

    • Target

      yef.exe.bin

    • Size

      1.2MB

    • MD5

      58991bbcf8a974e128ba64f3bcb31e6e

    • SHA1

      645a5096283c1f0b63ff07f3927534e44804114d

    • SHA256

      d05f328df78420b8d97cb7205cccee30617ebeff333ac8d5ed32f6da69563baa

    • SHA512

      76c35a2b6b787ded9c049b189b8844019720f47c0f2e07ced1c9b9b7622382d50062770f222ad1a0a626e66498be3d3e6cc22ca9c7fbf72d3b29b7f59e881eb6

    • SSDEEP

      24576:rwVTXJvatkjAE+k/7aygMpbUdtoQVj020iDqxJooLUcdJYRk:KTQujL+hMyhVj8y8J7UcG

    Score
    10/10
    discoveryexecutionorcuscutiesratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.