Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    91d9c067cff61ba23182b0bff60db942

  • Size

    2.8MB

  • Sample

    231219-y3r8kaehe2

  • MD5

    91d9c067cff61ba23182b0bff60db942

  • SHA1

    8a071fa90f7a9d911eb97e401ac8be29ee831de2

  • SHA256

    3b1b7d9aae7a192cca60d19ebc5278b52ecc5bb1f9358eb367d56399658d9895

  • SHA512

    ff01cabd1cc13b546f7aa29fd4dc91fa041e1619ba08d6beab5e78ec23facfe2c88bee6b0e8f4135712a2ecd0bfc2650fe93f793faedd1fa0245fff5022d9ab5

  • SSDEEP

    49152:k9VBs3aqfvK0jKhHkAVPYzpPTUg999jNzP6uOBUVN9cU8FYdgLw2VasxlBQH/R+p:0BqTuhHkAup4g9HAuHN90KdWLVas2p+p

Malware Config

Extracted

Family

orcus

C2

riskama.online:27016

Mutex

f6a4eeb99e524916b282d0acc98ad7c8

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Broker\Broker.exe

  • reconnect_delay

    10000

  • registry_keyname

    Broker

  • taskscheduler_taskname

    Broker

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      91d9c067cff61ba23182b0bff60db942

    • Size

      2.8MB

    • MD5

      91d9c067cff61ba23182b0bff60db942

    • SHA1

      8a071fa90f7a9d911eb97e401ac8be29ee831de2

    • SHA256

      3b1b7d9aae7a192cca60d19ebc5278b52ecc5bb1f9358eb367d56399658d9895

    • SHA512

      ff01cabd1cc13b546f7aa29fd4dc91fa041e1619ba08d6beab5e78ec23facfe2c88bee6b0e8f4135712a2ecd0bfc2650fe93f793faedd1fa0245fff5022d9ab5

    • SSDEEP

      49152:k9VBs3aqfvK0jKhHkAVPYzpPTUg999jNzP6uOBUVN9cU8FYdgLw2VasxlBQH/R+p:0BqTuhHkAup4g9HAuHN90KdWLVas2p+p

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Orcurs Rat Executable

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks