Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f3fc51b81b6e9977c700918fc2d0c3c1

  • Size

    1.7MB

  • Sample

    231220-vsc44scggn

  • MD5

    f3fc51b81b6e9977c700918fc2d0c3c1

  • SHA1

    60a3d2f8ecd7084749e49ce89bd41c9264b22469

  • SHA256

    32259dd1b952bfd4e7bb672d6d3e894a540a70f331b02cb60dde9b9842017d07

  • SHA512

    10b05c17a12c26970b050a7d51d30f5e6df07d5604c6123e763d1739da03eac69b4ddec595da099506cb1bbc2c39eec76b89bde3a08342f1624c35d4678d3b99

  • SSDEEP

    24576:alH8PPq9dLgkzA6HwDDutZEDLCHl+oMhPPPKmx9ryqQTnClsPCA2vl4:uUS9dUMArutFT2HfyqQDClzA2vy

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:10134

Mutex

94a0f6dec3fa4416b40ebfc91d82e4b2

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\drivers\drivers.exe

  • reconnect_delay

    10000

  • registry_keyname

    drivers

  • taskscheduler_taskname

    drivers

  • watchdog_path

    AppData\drivers.exe

Targets

    • Target

      f3fc51b81b6e9977c700918fc2d0c3c1

    • Size

      1.7MB

    • MD5

      f3fc51b81b6e9977c700918fc2d0c3c1

    • SHA1

      60a3d2f8ecd7084749e49ce89bd41c9264b22469

    • SHA256

      32259dd1b952bfd4e7bb672d6d3e894a540a70f331b02cb60dde9b9842017d07

    • SHA512

      10b05c17a12c26970b050a7d51d30f5e6df07d5604c6123e763d1739da03eac69b4ddec595da099506cb1bbc2c39eec76b89bde3a08342f1624c35d4678d3b99

    • SSDEEP

      24576:alH8PPq9dLgkzA6HwDDutZEDLCHl+oMhPPPKmx9ryqQTnClsPCA2vl4:uUS9dUMArutFT2HfyqQDClzA2vy

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks