Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3cb919870c09a5fc3daa89b139f290a96cb21d98fab590a76f09322f8735ee85

  • Size

    910KB

  • Sample

    231122-l1ajhsbf38

  • MD5

    376bdf0e0b0d057c0f05c3b5ffb68552

  • SHA1

    c363692cd6b1bed88b98cba8679f8718e51e01e2

  • SHA256

    3cb919870c09a5fc3daa89b139f290a96cb21d98fab590a76f09322f8735ee85

  • SHA512

    2c07a5095bdb0accc3212486b5612e08b4dd0eb459e29aac63224a1d684398f0cae5702caeed3f4ee00a306a043e981ee06e18df1a84c9fe4f741a2213d6a764

  • SSDEEP

    24576:Gk84MROxnFh/iJ2rZlI0AilFEvxHiwwOf:GkPMi3KQrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

orcusratanondomain.sytes.net:1604

Mutex

13bcf26dd78f4c9d94ba286a0d96d3ab

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      3cb919870c09a5fc3daa89b139f290a96cb21d98fab590a76f09322f8735ee85

    • Size

      910KB

    • MD5

      376bdf0e0b0d057c0f05c3b5ffb68552

    • SHA1

      c363692cd6b1bed88b98cba8679f8718e51e01e2

    • SHA256

      3cb919870c09a5fc3daa89b139f290a96cb21d98fab590a76f09322f8735ee85

    • SHA512

      2c07a5095bdb0accc3212486b5612e08b4dd0eb459e29aac63224a1d684398f0cae5702caeed3f4ee00a306a043e981ee06e18df1a84c9fe4f741a2213d6a764

    • SSDEEP

      24576:Gk84MROxnFh/iJ2rZlI0AilFEvxHiwwOf:GkPMi3KQrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks