Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
ac911d58b1fe06ccafd6697c665451d4
-
Size
7.5MB
-
Sample
231219-1qp9jsbean
-
MD5
ac911d58b1fe06ccafd6697c665451d4
-
SHA1
ded22a883d85fd21d97dd0fc8b75b8e02b200f7e
-
SHA256
0dbac1adb12dab36645992c3e54c3e8a1f095694a380562fdfcfa62b5e0dfcde
-
SHA512
6dfa086a1a3cf32252b42fd70c6036dca48d75405ad74a2835f1dd608e58049efc7465d6458f36ce027b9a2d7b1c65d5558dabc0a511454aa4b8a061338f67c9
-
SSDEEP
24576:HP34MROxnFD3Kw8XlrrcI0AilFEvxHPkooN4:HgMiJCrrcI0AilFEvxHP
Behavioral task
behavioral1
Sample
ac911d58b1fe06ccafd6697c665451d4.exe
Resource
win7-20231215-en
Malware Config
Extracted
orcus
178.200.180.146:10134
74fca2b9468a452da64bad1cfc73558b
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
C:\Windows\INF\recov\RuntimeBroker.exe
-
reconnect_delay
10000
-
registry_keyname
Runtime Broker
-
taskscheduler_taskname
Runtime Broker
-
watchdog_path
AppData\Steam
Targets
-
-
Target
ac911d58b1fe06ccafd6697c665451d4
-
Size
7.5MB
-
MD5
ac911d58b1fe06ccafd6697c665451d4
-
SHA1
ded22a883d85fd21d97dd0fc8b75b8e02b200f7e
-
SHA256
0dbac1adb12dab36645992c3e54c3e8a1f095694a380562fdfcfa62b5e0dfcde
-
SHA512
6dfa086a1a3cf32252b42fd70c6036dca48d75405ad74a2835f1dd608e58049efc7465d6458f36ce027b9a2d7b1c65d5558dabc0a511454aa4b8a061338f67c9
-
SSDEEP
24576:HP34MROxnFD3Kw8XlrrcI0AilFEvxHPkooN4:HgMiJCrrcI0AilFEvxHP
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-