Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Behavioral task
behavioral1
Sample
e682b6d71171000383f9b6bd819ae9017794b98d7a24243a4ec5b6a132876bf5.exe
Resource
win7-20231020-en
General
-
Target
e682b6d71171000383f9b6bd819ae9017794b98d7a24243a4ec5b6a132876bf5
-
Size
921KB
-
MD5
6300a61dfb2ca101fecf2e3737c43194
-
SHA1
361d3007da8a3dacc3d42a02b67c232ae074982f
-
SHA256
e682b6d71171000383f9b6bd819ae9017794b98d7a24243a4ec5b6a132876bf5
-
SHA512
991120e393165a42ceab9a31f696d6a8495545ee40218abf92a2cd631235b610156e2afd2d9d96964a5e6f6dd7ca89e516b8b474bcb9a68523ac4946aea762a4
-
SSDEEP
24576:mkL94MROxnF43A5rrcI0AilFEvxHP3zooV:lWMiGerrcI0AilFEvxHP3
Malware Config
Extracted
orcus
s1.putinso.site:2004
2735597b534846cb8b384bdb5863f82c
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Regedit\svhost.exe
-
reconnect_delay
10000
-
registry_keyname
svhost
-
taskscheduler_taskname
svhost
-
watchdog_path
AppData\regedit.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule sample orcus -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule sample family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource e682b6d71171000383f9b6bd819ae9017794b98d7a24243a4ec5b6a132876bf5
Files
-
e682b6d71171000383f9b6bd819ae9017794b98d7a24243a4ec5b6a132876bf5.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 918KB - Virtual size: 918KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ