Overview

overview

10

Static

static

3

yef.exe

windows7-x64

6

yef.exe

windows10-2004-x64

10

Resubmissions

13-11-2024 08:48

241113-kqly5ayfmm 10

13-11-2024 08:46

241113-kpsqaa1rfr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    yef.exe.zip

  • Size

    1.2MB

  • Sample

    241113-kpsqaa1rfr

  • MD5

    3d403c4b277e6a66a486c576cb1460d8

  • SHA1

    be7429f0377caa3e16de7a00c1b4f4fec8445010

  • SHA256

    f9ceb47834651e67fc99d1ca578bc6a72373ec281ca9e5b678e86a879b0da4a4

  • SHA512

    31928aa26818ecd263395a578b3da4e3de7ffd70d96ac2f4ae910633098330fc9195ef48a8b6a0ed41812cbdf40190e259c9a6f38c7e8c69d208f33eed62ce88

  • SSDEEP

    24576:b6jwjKGKR4erUDxDZqckoz0IiaCM5wEED6FMpAUrwkXgK:b6aQR7wVqcmIpr4D6FtsP

Score
10/10
orcuscutiesdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

cuties

C2

5virginia-evil.gl.at.ply.gg

Mutex

c75fa2addeaf42abb9797c0d693eca2b

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    10/27/2024 02:14:09

  • plugins

    AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNwA2ADkAMwA2AGQAMQAzAGMAYQAwAGMANAA5ADQANgA5AGIAMgBkAGUAOAA5ADQAMAAxADkANABiAGEAMAAzAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDAAYQA4ADAANgA5AGMAZAA2AGUAMwA1ADQANAA1ADQAYQBkADMAOAAwAGQANABjAGIAYQA4ADYANQA2ADAANwABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDQAZAA0ADEAYQAwADEAMgBkADgAMwBlADQAOABmADQAYQAxADEAYQBiAGYAYwA3ADMAMQBkADIAOQAwAGEAYwACAAYG

  • reconnect_delay

    10000

  • registry_autostart_keyname

    cmd

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      yef.exe.bin

    • Size

      1.2MB

    • MD5

      58991bbcf8a974e128ba64f3bcb31e6e

    • SHA1

      645a5096283c1f0b63ff07f3927534e44804114d

    • SHA256

      d05f328df78420b8d97cb7205cccee30617ebeff333ac8d5ed32f6da69563baa

    • SHA512

      76c35a2b6b787ded9c049b189b8844019720f47c0f2e07ced1c9b9b7622382d50062770f222ad1a0a626e66498be3d3e6cc22ca9c7fbf72d3b29b7f59e881eb6

    • SSDEEP

      24576:rwVTXJvatkjAE+k/7aygMpbUdtoQVj020iDqxJooLUcdJYRk:KTQujL+hMyhVj8y8J7UcG

    Score
    10/10
    discoveryexecutionorcuscutiesratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks