Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1706bb0d7548ad810a515820c8e22bb8a2f81c3a1b8b730b02d356721ae9612c

  • Size

    913KB

  • Sample

    231210-bdm6zscfh3

  • MD5

    eecb08a8142e3504f914a4b001a4aa48

  • SHA1

    ad0828ca3e3d04219545d0de90a176f71815e78c

  • SHA256

    1706bb0d7548ad810a515820c8e22bb8a2f81c3a1b8b730b02d356721ae9612c

  • SHA512

    c760859e7f9e5d87bfeaab151f4b31fa2a5a7d615fc74e54fdf115b670d02ee9b2ca8b8041bf4580d100a7519f71c3197239bc53b44fefcde7b5cc37c1192264

  • SSDEEP

    24576:YmHR4MROxnFGjUIcZrrcI0AilFEvxHPd8ooB:7uMiYcrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:6667

Mutex

9330fd5dd8ac40358129df34f738958a

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      1706bb0d7548ad810a515820c8e22bb8a2f81c3a1b8b730b02d356721ae9612c

    • Size

      913KB

    • MD5

      eecb08a8142e3504f914a4b001a4aa48

    • SHA1

      ad0828ca3e3d04219545d0de90a176f71815e78c

    • SHA256

      1706bb0d7548ad810a515820c8e22bb8a2f81c3a1b8b730b02d356721ae9612c

    • SHA512

      c760859e7f9e5d87bfeaab151f4b31fa2a5a7d615fc74e54fdf115b670d02ee9b2ca8b8041bf4580d100a7519f71c3197239bc53b44fefcde7b5cc37c1192264

    • SSDEEP

      24576:YmHR4MROxnFGjUIcZrrcI0AilFEvxHPd8ooB:7uMiYcrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks