Overview

overview

10

Static

static

10

idk.exe

windows10-ltsc 2021-x64

10

idk.exe

windows11-21h2-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    idk.exe

  • Size

    839KB

  • Sample

    250110-e2d5rsvjfr

  • MD5

    3ce1d3201922d8c937a33d67a6a28f7c

  • SHA1

    216b069f775ef6a6421862060d2bb8cce273ca78

  • SHA256

    f85d2d4bd5f31e9e128c6453f7f3ef5e374985471854d99358da4c9ce8cb2545

  • SHA512

    bcc5b02c768a5955016fa485ddd74a8cc2216ef26422e2bf2418f80947e9df7d5ffe4b9206b47f90e7975f9917892f859437946d691470cc31a79bd26d69bb1c

  • SSDEEP

    24576:IpS04YNEMuExDiU6E5R9s8xY/2l/dmtnIbt+rv:IL4auS+UjfU2TmdIbt+r

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

5.tcp.eu.ngrok.io

Mutex

0b3ea660c9da46fea809ad6fd0aac917

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/10/2025 05:24:40

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      idk.exe

    • Size

      839KB

    • MD5

      3ce1d3201922d8c937a33d67a6a28f7c

    • SHA1

      216b069f775ef6a6421862060d2bb8cce273ca78

    • SHA256

      f85d2d4bd5f31e9e128c6453f7f3ef5e374985471854d99358da4c9ce8cb2545

    • SHA512

      bcc5b02c768a5955016fa485ddd74a8cc2216ef26422e2bf2418f80947e9df7d5ffe4b9206b47f90e7975f9917892f859437946d691470cc31a79bd26d69bb1c

    • SSDEEP

      24576:IpS04YNEMuExDiU6E5R9s8xY/2l/dmtnIbt+rv:IL4auS+UjfU2TmdIbt+r

    Score
    10/10
    orcusdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks