Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10VT bypass binder.zip
windows7-x64
1VT bypass binder.zip
windows10-2004-x64
1VT bypass ...UI.exe
windows7-x64
1VT bypass ...UI.exe
windows10-2004-x64
1VT bypass ...XZ.exe
windows7-x64
10VT bypass ...XZ.exe
windows10-2004-x64
10VT bypass ...ld.ahk
windows7-x64
3VT bypass ...ld.ahk
windows10-2004-x64
3VT bypass ...lt.ico
windows7-x64
1VT bypass ...lt.ico
windows10-2004-x64
3VT bypass ...ut.exe
windows7-x64
VT bypass ...ut.exe
windows10-2004-x64
VT bypass ...rm.exe
windows7-x64
3VT bypass ...rm.exe
windows10-2004-x64
3General
-
Target
VT bypass binder.zip
-
Size
1.8MB
-
Sample
231126-x9cwsabh73
-
MD5
b54f5e096680ce04840702e48b7d166b
-
SHA1
9178d17c87efc2b1cb4d080df7ac1dbc9e6646c7
-
SHA256
2864e500977882a37f0ff762a2918ce8d228ebdd583f66ffc1abcced8ef1155c
-
SHA512
d9a4a89fcf32d71fc73372bcb0192c981b20214760b5b7f628b52188010bdad228a3e98ba05953dac282e991b32564abf02404708a545f5875092a4ec82f5bd0
-
SSDEEP
24576:V6fBpErZUevseeSKsqJJu4BPtSh03zfixEd1P3gLUB3g5BbkRie6XJLF7oKJqGBv:MrCVvse3T4BPoqWad133g3ARE95Jq6
Behavioral task
behavioral1
Sample
VT bypass binder.zip
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
VT bypass binder.zip
Resource
win10v2004-20231020-en
Behavioral task
behavioral3
Sample
VT bypass binder/BypassGUI.exe
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
VT bypass binder/BypassGUI.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral5
Sample
VT bypass binder/PythonXZ.exe
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
VT bypass binder/PythonXZ.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral7
Sample
VT bypass binder/build.ahk
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
VT bypass binder/build.ahk
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
VT bypass binder/default.ico
Resource
win7-20231025-en
Behavioral task
behavioral10
Sample
VT bypass binder/default.ico
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
VT bypass binder/output.exe
Resource
win7-20231020-en
Behavioral task
behavioral12
Sample
VT bypass binder/output.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral13
Sample
VT bypass binder/sexclitxworm.exe
Resource
win7-20231020-en
Behavioral task
behavioral14
Sample
VT bypass binder/sexclitxworm.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
orcus
groups-opportunity.at.ply.gg:55025:49668
e0eb928c842e4900aa44b95bd0163372
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
VT bypass binder.zip
-
Size
1.8MB
-
MD5
b54f5e096680ce04840702e48b7d166b
-
SHA1
9178d17c87efc2b1cb4d080df7ac1dbc9e6646c7
-
SHA256
2864e500977882a37f0ff762a2918ce8d228ebdd583f66ffc1abcced8ef1155c
-
SHA512
d9a4a89fcf32d71fc73372bcb0192c981b20214760b5b7f628b52188010bdad228a3e98ba05953dac282e991b32564abf02404708a545f5875092a4ec82f5bd0
-
SSDEEP
24576:V6fBpErZUevseeSKsqJJu4BPtSh03zfixEd1P3gLUB3g5BbkRie6XJLF7oKJqGBv:MrCVvse3T4BPoqWad133g3ARE95Jq6
Score1/10 -
-
-
Target
VT bypass binder/BypassGUI.exe
-
Size
1.2MB
-
MD5
523527a01c3bd0226f17cc70886df36c
-
SHA1
3d70ba2e83fb515efb0dd3a1dd7e772514098fb2
-
SHA256
7c1928b0fec39ec7cb2198293f1e9bd3a12e10e34d2644418a27970044c768a0
-
SHA512
7977606badd53b9e89eaad42422476ad2825cd9d6a29a8b28b27d35cbac27f6f5c93b3e845af45a01a222b0e8789db1250e005496893d356774078818a1df4f6
-
SSDEEP
24576:6y07u12dt5Cnx/3FCEKb+lINSO28Q3k+hlUj/geBw8yVyQtvi1UtNe9MqE28:6y0MCt5Cnx/3FCEC+lIQO28Q3k+hEIe0
Score1/10 -
-
-
Target
VT bypass binder/PythonXZ.exe
-
Size
903KB
-
MD5
f0a195d9ffcb4626d8f072fb5c1dc2de
-
SHA1
a46d78bda4a5bc661e414ecbdc49738396cae5e4
-
SHA256
086e64cf5e2ad4f0b3f472754ab4aeb1603b3d3e89c05ce1e6cc26f2725d2d38
-
SHA512
d571421d1189fc4ebde326e0b774cc36e713438cab558efa3d7546523641506f603491c0a7782617e7858820b0d23d717d5ee97819c0ed1b65749bf2b7176aab
-
SSDEEP
24576:MVWC4MROxnFwOVrrcI0AilFEvxHPjoo5:MqMiC8rrcI0AilFEvxHP
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
VT bypass binder/build.ahk
-
Size
194B
-
MD5
1e50d8c9ce91b1245201ac0097987478
-
SHA1
e3566a55f93be2a8307fb8d53e65d741172e0c59
-
SHA256
5c08fc84db4979cd21082805804057992dbf14f586880ce86270ad51d9195626
-
SHA512
6da1e3793d530551096f7f68bdbcf890beea6254fc1c4d6abe2b489a8fd9d5215faa7860b5689965d79f6b7e689bcdae9dcbf167e0acc38d1be9d4500bdd54a4
Score3/10 -
-
-
Target
VT bypass binder/default.ico
-
Size
35KB
-
MD5
f74503b22273aef038c811447b0727e7
-
SHA1
5d57c77c7122dd42826a877cc3816130dc47ee4f
-
SHA256
709acda0dbf33ae8e1f3fbff9dd7173be9b317f9d0bc5e9cde044f1587fa8db7
-
SHA512
bc46d659a245a8b28c144cf090a299615af8ca49410c6904ec3e1aa5cf0310cf5b78f979fe18c792b17e805230d0095d2a0483fa01bb3f1c3624437571650c0a
-
SSDEEP
768:MahPkNGxnPx2McQ+G6lZcOWbeAUveHL2kdQjP10V2dgvbU8/gT3:MPegMWG6lmzbev2r5dwP10V2mvbUYgT3
Score3/10 -
-
-
Target
VT bypass binder/output.exe
-
Size
1.2MB
-
MD5
26288f78577b4856a923f20e6126d3d4
-
SHA1
651d70c3d585d1612a7934cac6c2c77e4fb6c38e
-
SHA256
ab5d6682b0832639ccd6ab1d0ae06ae290cf954df3e5cb2127f5d5410c8e6a4c
-
SHA512
9ca17a94031e1623a5bc82f5d0613cb8bcf2194a85eab56cf3489f818da4df5e8e7cc042a847e8cd66d3a2c3ba96e9d49f6623dbe297b79ef72f11f930b00ee9
-
SSDEEP
6:idqmvVg3F+X32M9of5FAmJv1kg+xS5GH2O8lqp:e9GSG55/ywGH2Dqp
Score1/10 -
-
-
Target
VT bypass binder/sexclitxworm.exe
-
Size
1.2MB
-
MD5
b6a3b0622d21e1c6cea2f8b302131994
-
SHA1
9e6c28b1301bf233903347dba146014ed712447a
-
SHA256
c343d4d961990fceb2519b22396dd33236916b3de04e7f63a4e90f463c148f3a
-
SHA512
a154acbb8c388c7ef7df9d2f9b9fb69297ae8e035f669e96ecb4f3bc82cc4150b99e921c50e822d273cbda782dde1477c1c5c91ace89dd00fd89c0b54526b2a0
-
SSDEEP
24576:Gy07u12dt5Cnx/3FCEKb+lINSO28Q3k+hlUj/geBw8yVyQtvi1UtNe9MqmrC:Gy0MCt5Cnx/3FCEC+lIQO28Q3k+hEIez
Score3/10 -