Overview

overview

10

Static

static

10

idk.exe

windows10-ltsc 2021-x64

10

idk.exe

windows11-21h2-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    idk.exe

  • Size

    839KB

  • Sample

    250110-z3sprszpbr

  • MD5

    45702e3cbbd1b1fa5bc5b2e1add59a28

  • SHA1

    62f523fc942ad0fde771da6591c6e80d62112f3b

  • SHA256

    885a499d2e0fd28f91423772902b48903d59ef9d11222ceacdb5d46159d41401

  • SHA512

    42b13e3bdc31255e62ee49c4e7d2c16486948ba1e5787dbfe8a8178ed5fae759e682c7d44c2ad10e283e83c5a4b12ca916f0ea3b9abb027a52435949293fe61e

  • SSDEEP

    24576:PpS04YNEMuExDiU6E5R9s8xY/2l/dmtnIbt+rq:PL4auS+UjfU2TmdIbt+r

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

0.tcp.eu.ngrok.io

Mutex

e45414bed9c8456683882800b3d5feba

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/10/2025 22:12:47

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      idk.exe

    • Size

      839KB

    • MD5

      45702e3cbbd1b1fa5bc5b2e1add59a28

    • SHA1

      62f523fc942ad0fde771da6591c6e80d62112f3b

    • SHA256

      885a499d2e0fd28f91423772902b48903d59ef9d11222ceacdb5d46159d41401

    • SHA512

      42b13e3bdc31255e62ee49c4e7d2c16486948ba1e5787dbfe8a8178ed5fae759e682c7d44c2ad10e283e83c5a4b12ca916f0ea3b9abb027a52435949293fe61e

    • SSDEEP

      24576:PpS04YNEMuExDiU6E5R9s8xY/2l/dmtnIbt+rq:PL4auS+UjfU2TmdIbt+r

    Score
    10/10
    orcusdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks