Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
f3fc51b81b6e9977c700918fc2d0c3c1
-
Size
1.7MB
-
Sample
231220-vsc44scggn
-
MD5
f3fc51b81b6e9977c700918fc2d0c3c1
-
SHA1
60a3d2f8ecd7084749e49ce89bd41c9264b22469
-
SHA256
32259dd1b952bfd4e7bb672d6d3e894a540a70f331b02cb60dde9b9842017d07
-
SHA512
10b05c17a12c26970b050a7d51d30f5e6df07d5604c6123e763d1739da03eac69b4ddec595da099506cb1bbc2c39eec76b89bde3a08342f1624c35d4678d3b99
-
SSDEEP
24576:alH8PPq9dLgkzA6HwDDutZEDLCHl+oMhPPPKmx9ryqQTnClsPCA2vl4:uUS9dUMArutFT2HfyqQDClzA2vy
Static task
static1
Behavioral task
behavioral1
Sample
f3fc51b81b6e9977c700918fc2d0c3c1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f3fc51b81b6e9977c700918fc2d0c3c1.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
orcus
127.0.0.1:10134
94a0f6dec3fa4416b40ebfc91d82e4b2
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\drivers\drivers.exe
-
reconnect_delay
10000
-
registry_keyname
drivers
-
taskscheduler_taskname
drivers
-
watchdog_path
AppData\drivers.exe
Targets
-
-
Target
f3fc51b81b6e9977c700918fc2d0c3c1
-
Size
1.7MB
-
MD5
f3fc51b81b6e9977c700918fc2d0c3c1
-
SHA1
60a3d2f8ecd7084749e49ce89bd41c9264b22469
-
SHA256
32259dd1b952bfd4e7bb672d6d3e894a540a70f331b02cb60dde9b9842017d07
-
SHA512
10b05c17a12c26970b050a7d51d30f5e6df07d5604c6123e763d1739da03eac69b4ddec595da099506cb1bbc2c39eec76b89bde3a08342f1624c35d4678d3b99
-
SSDEEP
24576:alH8PPq9dLgkzA6HwDDutZEDLCHl+oMhPPPKmx9ryqQTnClsPCA2vl4:uUS9dUMArutFT2HfyqQDClzA2vy
Score10/10-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-