Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    VT bypass binder.zip

  • Size

    1.8MB

  • Sample

    231126-x9cwsabh73

  • MD5

    b54f5e096680ce04840702e48b7d166b

  • SHA1

    9178d17c87efc2b1cb4d080df7ac1dbc9e6646c7

  • SHA256

    2864e500977882a37f0ff762a2918ce8d228ebdd583f66ffc1abcced8ef1155c

  • SHA512

    d9a4a89fcf32d71fc73372bcb0192c981b20214760b5b7f628b52188010bdad228a3e98ba05953dac282e991b32564abf02404708a545f5875092a4ec82f5bd0

  • SSDEEP

    24576:V6fBpErZUevseeSKsqJJu4BPtSh03zfixEd1P3gLUB3g5BbkRie6XJLF7oKJqGBv:MrCVvse3T4BPoqWad133g3ARE95Jq6

Malware Config

Extracted

Family

orcus

C2

groups-opportunity.at.ply.gg:55025:49668

Mutex

e0eb928c842e4900aa44b95bd0163372

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      VT bypass binder.zip

    • Size

      1.8MB

    • MD5

      b54f5e096680ce04840702e48b7d166b

    • SHA1

      9178d17c87efc2b1cb4d080df7ac1dbc9e6646c7

    • SHA256

      2864e500977882a37f0ff762a2918ce8d228ebdd583f66ffc1abcced8ef1155c

    • SHA512

      d9a4a89fcf32d71fc73372bcb0192c981b20214760b5b7f628b52188010bdad228a3e98ba05953dac282e991b32564abf02404708a545f5875092a4ec82f5bd0

    • SSDEEP

      24576:V6fBpErZUevseeSKsqJJu4BPtSh03zfixEd1P3gLUB3g5BbkRie6XJLF7oKJqGBv:MrCVvse3T4BPoqWad133g3ARE95Jq6

    Score
    1/10
    • Target

      VT bypass binder/BypassGUI.exe

    • Size

      1.2MB

    • MD5

      523527a01c3bd0226f17cc70886df36c

    • SHA1

      3d70ba2e83fb515efb0dd3a1dd7e772514098fb2

    • SHA256

      7c1928b0fec39ec7cb2198293f1e9bd3a12e10e34d2644418a27970044c768a0

    • SHA512

      7977606badd53b9e89eaad42422476ad2825cd9d6a29a8b28b27d35cbac27f6f5c93b3e845af45a01a222b0e8789db1250e005496893d356774078818a1df4f6

    • SSDEEP

      24576:6y07u12dt5Cnx/3FCEKb+lINSO28Q3k+hlUj/geBw8yVyQtvi1UtNe9MqE28:6y0MCt5Cnx/3FCEC+lIQO28Q3k+hEIe0

    Score
    1/10
    • Target

      VT bypass binder/PythonXZ.exe

    • Size

      903KB

    • MD5

      f0a195d9ffcb4626d8f072fb5c1dc2de

    • SHA1

      a46d78bda4a5bc661e414ecbdc49738396cae5e4

    • SHA256

      086e64cf5e2ad4f0b3f472754ab4aeb1603b3d3e89c05ce1e6cc26f2725d2d38

    • SHA512

      d571421d1189fc4ebde326e0b774cc36e713438cab558efa3d7546523641506f603491c0a7782617e7858820b0d23d717d5ee97819c0ed1b65749bf2b7176aab

    • SSDEEP

      24576:MVWC4MROxnFwOVrrcI0AilFEvxHPjoo5:MqMiC8rrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      VT bypass binder/build.ahk

    • Size

      194B

    • MD5

      1e50d8c9ce91b1245201ac0097987478

    • SHA1

      e3566a55f93be2a8307fb8d53e65d741172e0c59

    • SHA256

      5c08fc84db4979cd21082805804057992dbf14f586880ce86270ad51d9195626

    • SHA512

      6da1e3793d530551096f7f68bdbcf890beea6254fc1c4d6abe2b489a8fd9d5215faa7860b5689965d79f6b7e689bcdae9dcbf167e0acc38d1be9d4500bdd54a4

    Score
    3/10
    • Target

      VT bypass binder/default.ico

    • Size

      35KB

    • MD5

      f74503b22273aef038c811447b0727e7

    • SHA1

      5d57c77c7122dd42826a877cc3816130dc47ee4f

    • SHA256

      709acda0dbf33ae8e1f3fbff9dd7173be9b317f9d0bc5e9cde044f1587fa8db7

    • SHA512

      bc46d659a245a8b28c144cf090a299615af8ca49410c6904ec3e1aa5cf0310cf5b78f979fe18c792b17e805230d0095d2a0483fa01bb3f1c3624437571650c0a

    • SSDEEP

      768:MahPkNGxnPx2McQ+G6lZcOWbeAUveHL2kdQjP10V2dgvbU8/gT3:MPegMWG6lmzbev2r5dwP10V2mvbUYgT3

    Score
    3/10
    • Target

      VT bypass binder/output.exe

    • Size

      1.2MB

    • MD5

      26288f78577b4856a923f20e6126d3d4

    • SHA1

      651d70c3d585d1612a7934cac6c2c77e4fb6c38e

    • SHA256

      ab5d6682b0832639ccd6ab1d0ae06ae290cf954df3e5cb2127f5d5410c8e6a4c

    • SHA512

      9ca17a94031e1623a5bc82f5d0613cb8bcf2194a85eab56cf3489f818da4df5e8e7cc042a847e8cd66d3a2c3ba96e9d49f6623dbe297b79ef72f11f930b00ee9

    • SSDEEP

      6:idqmvVg3F+X32M9of5FAmJv1kg+xS5GH2O8lqp:e9GSG55/ywGH2Dqp

    Score
    1/10
    • Target

      VT bypass binder/sexclitxworm.exe

    • Size

      1.2MB

    • MD5

      b6a3b0622d21e1c6cea2f8b302131994

    • SHA1

      9e6c28b1301bf233903347dba146014ed712447a

    • SHA256

      c343d4d961990fceb2519b22396dd33236916b3de04e7f63a4e90f463c148f3a

    • SHA512

      a154acbb8c388c7ef7df9d2f9b9fb69297ae8e035f669e96ecb4f3bc82cc4150b99e921c50e822d273cbda782dde1477c1c5c91ace89dd00fd89c0b54526b2a0

    • SSDEEP

      24576:Gy07u12dt5Cnx/3FCEKb+lINSO28Q3k+hlUj/geBw8yVyQtvi1UtNe9MqmrC:Gy0MCt5Cnx/3FCEC+lIQO28Q3k+hEIez

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks