Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0fd80d91faaf4a05167f34418ea29c50b4dfe821fe4d4b4c924253a44861ac06

  • Size

    909KB

  • Sample

    231122-lv5gpsbe96

  • MD5

    e0efbb5ba99c26ca5d9467e560deabc9

  • SHA1

    22870db71d3adfdc5d9401d43566e9fe6263ed05

  • SHA256

    0fd80d91faaf4a05167f34418ea29c50b4dfe821fe4d4b4c924253a44861ac06

  • SHA512

    b56dbdf1c590e4c64c60d57f908244e8fff69a40f5dc1e55ab9fe0bd9492ff40d48ddf8d4db5d511de436ddb7fdcf98c6645e1a718387822a0f7d53bac89aae4

  • SSDEEP

    24576:Lsw4MROxnFj3nxXFHXRrZlI0AilFEvxHipa+:LsTMi1xRhrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

147.185.221.16:18245

Mutex

10ab054536d04543b76e6233aed65734

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %appdata%\wins\HostConfig.exe

  • reconnect_delay

    10000

  • registry_keyname

    HostConfig

  • taskscheduler_taskname

    Hosts

  • watchdog_path

    AppData\ConfiguraçãodoSistema.exe

Targets

    • Target

      0fd80d91faaf4a05167f34418ea29c50b4dfe821fe4d4b4c924253a44861ac06

    • Size

      909KB

    • MD5

      e0efbb5ba99c26ca5d9467e560deabc9

    • SHA1

      22870db71d3adfdc5d9401d43566e9fe6263ed05

    • SHA256

      0fd80d91faaf4a05167f34418ea29c50b4dfe821fe4d4b4c924253a44861ac06

    • SHA512

      b56dbdf1c590e4c64c60d57f908244e8fff69a40f5dc1e55ab9fe0bd9492ff40d48ddf8d4db5d511de436ddb7fdcf98c6645e1a718387822a0f7d53bac89aae4

    • SSDEEP

      24576:Lsw4MROxnFj3nxXFHXRrZlI0AilFEvxHipa+:LsTMi1xRhrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks