Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed

  • Size

    913KB

  • Sample

    231210-bdm6zsbbbj

  • MD5

    de8b7fb309d25780aed16c57dbac7b6b

  • SHA1

    83694155f1cf4548723063604bd7092db7dbe9e9

  • SHA256

    ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed

  • SHA512

    e266811afd132a68d5f246989ec08dca2bf827baa4d0ca077ff77586ee9a15f83b37962dd889476052befc79b902cca2fc97ef4362bad8b279ce24ca8fdf14fc

  • SSDEEP

    24576:WEqr4MROxnF25bHKTlQWrZlI0AilFEvxHi4N:WEjMiwWrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:6667

Mutex

9330fd5dd8ac40358129df34f738958a

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed

    • Size

      913KB

    • MD5

      de8b7fb309d25780aed16c57dbac7b6b

    • SHA1

      83694155f1cf4548723063604bd7092db7dbe9e9

    • SHA256

      ed634c21192e550e34463005843409a1ff3970136a564522600ff14139b646ed

    • SHA512

      e266811afd132a68d5f246989ec08dca2bf827baa4d0ca077ff77586ee9a15f83b37962dd889476052befc79b902cca2fc97ef4362bad8b279ce24ca8fdf14fc

    • SSDEEP

      24576:WEqr4MROxnF25bHKTlQWrZlI0AilFEvxHi4N:WEjMiwWrZlI0AilFEvxHi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks