Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
dbe642523f98ceb373b7d7be7804d0419127149286d1f6d4ba2fab4bd73ec5b1
-
Size
3.0MB
-
Sample
231216-bl4hyabce4
-
MD5
e853d29af8f7bc24acd08ba46eaff53a
-
SHA1
b6a51c40bd71a5a4cd66b3f467430361b5749d22
-
SHA256
dbe642523f98ceb373b7d7be7804d0419127149286d1f6d4ba2fab4bd73ec5b1
-
SHA512
48c6750ddec924e7916ca3607aaa508740e1cb606a8e99d617f855262ca764a6db5b751507f19e209ded02c48fcf54ce0a837e68b084e2c3cec3cb931c671af2
-
SSDEEP
49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm
Behavioral task
behavioral1
Sample
dbe642523f98ceb373b7d7be7804d0419127149286d1f6d4ba2fab4bd73ec5b1.exe
Resource
win7-20231215-en
Malware Config
Extracted
orcus
ROBLOX
31.44.184.52:34332
sudo_e3ab5up7d13oh7u1j8tw7pma0e2ky65w
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\datalifeeternalprotect\vmdatalife.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Targets
-
-
Target
dbe642523f98ceb373b7d7be7804d0419127149286d1f6d4ba2fab4bd73ec5b1
-
Size
3.0MB
-
MD5
e853d29af8f7bc24acd08ba46eaff53a
-
SHA1
b6a51c40bd71a5a4cd66b3f467430361b5749d22
-
SHA256
dbe642523f98ceb373b7d7be7804d0419127149286d1f6d4ba2fab4bd73ec5b1
-
SHA512
48c6750ddec924e7916ca3607aaa508740e1cb606a8e99d617f855262ca764a6db5b751507f19e209ded02c48fcf54ce0a837e68b084e2c3cec3cb931c671af2
-
SSDEEP
49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-