Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263
-
Size
903KB
-
Sample
231221-bdymqahed8
-
MD5
16a5e446b2f6d72f5c3b51f2030f0896
-
SHA1
062a20802a429c2affcf2b2d90307abd3a1a4d42
-
SHA256
c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263
-
SHA512
53edc505dd50d61b2ff5e40bf3116b337293051d33f04cf8215707710839cf6da1825bdb961a79c99ba30d05c17d0bfa13cf97081af5aebcda87688000b7f9ee
-
SSDEEP
12288:Y0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCnZsrNoHr3K55epH+H77dG1lFlC:rj54MROxnF2OVrrcI0AilFEvxHPFooi
Behavioral task
behavioral1
Sample
c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
orcus
0.tcp.ngrok.io:11834
5eb7c1974822419bb4b242629178c9fa
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
windows
-
taskscheduler_taskname
windows
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263
-
Size
903KB
-
MD5
16a5e446b2f6d72f5c3b51f2030f0896
-
SHA1
062a20802a429c2affcf2b2d90307abd3a1a4d42
-
SHA256
c31f48204b6a9e9188296864abf9b8ad92a54f13973c2c5462da521a9b7c0263
-
SHA512
53edc505dd50d61b2ff5e40bf3116b337293051d33f04cf8215707710839cf6da1825bdb961a79c99ba30d05c17d0bfa13cf97081af5aebcda87688000b7f9ee
-
SSDEEP
12288:Y0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCnZsrNoHr3K55epH+H77dG1lFlC:rj54MROxnF2OVrrcI0AilFEvxHPFooi
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-