Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b8f44264494df8fe4903aecd11057cdb9c7abff177a5cf6c8e37fc582ae2be0d

  • Size

    2.9MB

  • Sample

    231218-b43pcsgebj

  • MD5

    46490216fdf0efff1bc81e431a1fa7e4

  • SHA1

    563eef6b45ecd75c8bb72c5e41bb536a2f59f57f

  • SHA256

    b8f44264494df8fe4903aecd11057cdb9c7abff177a5cf6c8e37fc582ae2be0d

  • SHA512

    c2b864efffeb5389a5877b8e03108de7f613e933871e412e9b1ba09bb512f8bbbcaa1e8c8ba249dacb2d70fa5ca618abe3e02ab64f146ae6f98fc434348a5b4c

  • SSDEEP

    49152:VOrN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmjWncFf0I74gu3wM:VE0wGGzBjryX82uypSb9ndo9JCm

Malware Config

Extracted

Family

orcus

C2

following-s.gl.at.ply.gg:38914

Mutex

41f3efa141e34614a0c4fe5e1092cae0

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      b8f44264494df8fe4903aecd11057cdb9c7abff177a5cf6c8e37fc582ae2be0d

    • Size

      2.9MB

    • MD5

      46490216fdf0efff1bc81e431a1fa7e4

    • SHA1

      563eef6b45ecd75c8bb72c5e41bb536a2f59f57f

    • SHA256

      b8f44264494df8fe4903aecd11057cdb9c7abff177a5cf6c8e37fc582ae2be0d

    • SHA512

      c2b864efffeb5389a5877b8e03108de7f613e933871e412e9b1ba09bb512f8bbbcaa1e8c8ba249dacb2d70fa5ca618abe3e02ab64f146ae6f98fc434348a5b4c

    • SSDEEP

      49152:VOrN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmjWncFf0I74gu3wM:VE0wGGzBjryX82uypSb9ndo9JCm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks