Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263

  • Size

    903KB

  • Sample

    231221-bdymqahed8

  • MD5

    16a5e446b2f6d72f5c3b51f2030f0896

  • SHA1

    062a20802a429c2affcf2b2d90307abd3a1a4d42

  • SHA256

    c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263

  • SHA512

    53edc505dd50d61b2ff5e40bf3116b337293051d33f04cf8215707710839cf6da1825bdb961a79c99ba30d05c17d0bfa13cf97081af5aebcda87688000b7f9ee

  • SSDEEP

    12288:Y0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCnZsrNoHr3K55epH+H77dG1lFlC:rj54MROxnF2OVrrcI0AilFEvxHPFooi

Malware Config

Extracted

Family

orcus

C2

0.tcp.ngrok.io:11834

Mutex

5eb7c1974822419bb4b242629178c9fa

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    windows

  • taskscheduler_taskname

    windows

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263

    • Size

      903KB

    • MD5

      16a5e446b2f6d72f5c3b51f2030f0896

    • SHA1

      062a20802a429c2affcf2b2d90307abd3a1a4d42

    • SHA256

      c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263

    • SHA512

      53edc505dd50d61b2ff5e40bf3116b337293051d33f04cf8215707710839cf6da1825bdb961a79c99ba30d05c17d0bfa13cf97081af5aebcda87688000b7f9ee

    • SSDEEP

      12288:Y0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCnZsrNoHr3K55epH+H77dG1lFlC:rj54MROxnF2OVrrcI0AilFEvxHPFooi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks