Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    vmprotect.vmp.exe

  • Size

    16.8MB

  • Sample

    230712-l3w6ascg39

  • MD5

    b4b629b3969203203accb2f961008eda

  • SHA1

    d46c88e5026389792030a5a7e6235ff6623ea65a

  • SHA256

    82ac2d2af9a3c49885e2f31845a122113c914565c93f2fc6743397a8bb14a185

  • SHA512

    9e8924ff17bad852de54f76104ea9f2816a1547af38e0f5208f2f0c7a4b3962a610c78c29b30670160396b8ed8571bf859ec974ecf43e0b7d171560653d8982f

  • SSDEEP

    196608:AqAvdSSgRmNfKgTngXpEN5o9P34724NE3pB2qY0nuddervStDbIqJICAtCEHx0eC:APkSNPTnWEvo9Py5u9lQeAbuZCER0dX

Malware Config

Extracted

Family

orcus

C2

increased-religious.at.ply.gg:58082

Mutex

c79251c991194aaa8316dab2df886a8b

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\BossWatchdog.exe

Targets

    • Target

      vmprotect.vmp.exe

    • Size

      16.8MB

    • MD5

      b4b629b3969203203accb2f961008eda

    • SHA1

      d46c88e5026389792030a5a7e6235ff6623ea65a

    • SHA256

      82ac2d2af9a3c49885e2f31845a122113c914565c93f2fc6743397a8bb14a185

    • SHA512

      9e8924ff17bad852de54f76104ea9f2816a1547af38e0f5208f2f0c7a4b3962a610c78c29b30670160396b8ed8571bf859ec974ecf43e0b7d171560653d8982f

    • SSDEEP

      196608:AqAvdSSgRmNfKgTngXpEN5o9P34724NE3pB2qY0nuddervStDbIqJICAtCEHx0eC:APkSNPTnWEvo9Py5u9lQeAbuZCER0dX

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Orcurs Rat Executable

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks