Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d3f9271173edda4bc61d1b064c1e32001081cd7830a0d01393c8251366bcaba8

  • Size

    3.0MB

  • Sample

    231129-b4hzysdg63

  • MD5

    474490af7201b4e37f8889541cda1759

  • SHA1

    4c69bafbcb980ffd54dddcafd5bde6c14e1f969e

  • SHA256

    d3f9271173edda4bc61d1b064c1e32001081cd7830a0d01393c8251366bcaba8

  • SHA512

    e339f47c3656e4ce80220edac3c8f5056e3e1dc93e2d22172fd51863304d879f87edd8f15c19fd7c250e81b26e6f39a063afcccb72ae40aaf8f0cf9568f4b057

  • SSDEEP

    49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm

Malware Config

Extracted

Family

orcus

Botnet

P1

C2

31.44.184.52:49810

Mutex

sudo_c82hh4lspes0mr053lqsldxgtdyrf0sk

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\pollcentral\defaultpoll.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Targets

    • Target

      d3f9271173edda4bc61d1b064c1e32001081cd7830a0d01393c8251366bcaba8

    • Size

      3.0MB

    • MD5

      474490af7201b4e37f8889541cda1759

    • SHA1

      4c69bafbcb980ffd54dddcafd5bde6c14e1f969e

    • SHA256

      d3f9271173edda4bc61d1b064c1e32001081cd7830a0d01393c8251366bcaba8

    • SHA512

      e339f47c3656e4ce80220edac3c8f5056e3e1dc93e2d22172fd51863304d879f87edd8f15c19fd7c250e81b26e6f39a063afcccb72ae40aaf8f0cf9568f4b057

    • SSDEEP

      49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks