Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2ad34d3585513ff8bd353fedb9ced0dc57c4560ae5e613abe49fd14a81809868

  • Size

    903KB

  • Sample

    231221-bjszesfacl

  • MD5

    6cda1ed9153e6cdba8e751d86ead02cd

  • SHA1

    da2bc2544fadbb7786d66a995a2a063fe423660f

  • SHA256

    2ad34d3585513ff8bd353fedb9ced0dc57c4560ae5e613abe49fd14a81809868

  • SHA512

    7fe51c65364580e36a08159ea47269a70f954bbc9a36f9f43cb9952dc9fde73f27ef7fe6db1bec5b64dc1bd48cb7e7205104704e96d40be462166f4e4e49833f

  • SSDEEP

    12288:F0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCnZsrNoHr3K55epH+H77dG1lFlE:sj54MROxnF2OVrrcI0AilFEvxHP/ooi

Malware Config

Extracted

Family

orcus

C2

0.tcp.ngrok.io:16874

Mutex

26514c3d022a42d39c6d4728e22957ca

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    windows

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      2ad34d3585513ff8bd353fedb9ced0dc57c4560ae5e613abe49fd14a81809868

    • Size

      903KB

    • MD5

      6cda1ed9153e6cdba8e751d86ead02cd

    • SHA1

      da2bc2544fadbb7786d66a995a2a063fe423660f

    • SHA256

      2ad34d3585513ff8bd353fedb9ced0dc57c4560ae5e613abe49fd14a81809868

    • SHA512

      7fe51c65364580e36a08159ea47269a70f954bbc9a36f9f43cb9952dc9fde73f27ef7fe6db1bec5b64dc1bd48cb7e7205104704e96d40be462166f4e4e49833f

    • SSDEEP

      12288:F0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCnZsrNoHr3K55epH+H77dG1lFlE:sj54MROxnF2OVrrcI0AilFEvxHP/ooi

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks