Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Behavioral task
behavioral1
Sample
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe
Resource
win7-20231023-en
General
-
Target
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe.zip
-
Size
594KB
-
MD5
c184ac2ab6f4202d48464a5eb6a530d7
-
SHA1
6a7a857f86582fe28b1e9da9b6ac7d08101ae622
-
SHA256
ec77f944e611cea60295de5b42e23a32c688b2d7ecadcb0a01977e38504ada86
-
SHA512
188cc8b371cc4fe1b74bf9627687396451af1e81645606ad4f71dd26526ce81755f29a444fb5cefe2c0f38dedc668515ff242b4608541f9afe1371b0f60ce169
-
SSDEEP
12288:1F+113I/lostvds4guEDHSLt6IlK/FE6NuTiwD5Ov4g1KoNC0wa/mJ0C6:1u13I/lostvdguEbSwI+2DTiwD5Ov3NZ
Malware Config
Extracted
orcus
NewPro
216.170.120.141:42069
d3d52ea46f88416fac4938bc6eb0a5d0
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Taber LLC\RMM\rmm.exe
-
reconnect_delay
10000
-
registry_keyname
RMM
-
taskscheduler_taskname
RMM
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule static1/unpack001/b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe orcus -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule static1/unpack001/b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe family_orcus -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe
Files
-
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe.zip.zip
Password: infected
-
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 908KB - Virtual size: 908KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ