Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    91ce27e029579672316835d3df17f5aa

  • Size

    5.7MB

  • Sample

    231219-y3nv5scfam

  • MD5

    91ce27e029579672316835d3df17f5aa

  • SHA1

    d39f4e332ec82a34b36a9e3b443a7ba01bcbacf0

  • SHA256

    2d691f32f85f4036a2d2557e6a8712642de87f2e4bd739bc646d2e1868247d91

  • SHA512

    90c3cf668d63130dc465bd8ffd28d9c2eaeba029bc49b96caf01566142a2179095a565b1960777762163527be4b4b35581328345bb18e2049ce94923cfa16864

  • SSDEEP

    98304:S1Ez2JuYuUTMQHW4sp3JI19j3whkpPsstK2gjibmB:72JhngQHW4FNwhkpHK2Nb

Malware Config

Extracted

Family

orcus

Botnet

Client001

C2

192.168.1.87:7005

Mutex

606052efa3484cbfaac032f9ffb221f6

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    Temp\OrcusWatchdog.exe

Targets

    • Target

      91ce27e029579672316835d3df17f5aa

    • Size

      5.7MB

    • MD5

      91ce27e029579672316835d3df17f5aa

    • SHA1

      d39f4e332ec82a34b36a9e3b443a7ba01bcbacf0

    • SHA256

      2d691f32f85f4036a2d2557e6a8712642de87f2e4bd739bc646d2e1868247d91

    • SHA512

      90c3cf668d63130dc465bd8ffd28d9c2eaeba029bc49b96caf01566142a2179095a565b1960777762163527be4b4b35581328345bb18e2049ce94923cfa16864

    • SSDEEP

      98304:S1Ez2JuYuUTMQHW4sp3JI19j3whkpPsstK2gjibmB:72JhngQHW4FNwhkpHK2Nb

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Modifies file permissions

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks