Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee

  • Size

    2.9MB

  • Sample

    231221-ckmz8sfcel

  • MD5

    5afad0c2ad5b3e6aa2e77756104e3b62

  • SHA1

    f5493d742da9890b6fd60476dd52eee1b1b1c445

  • SHA256

    50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee

  • SHA512

    cd53233220d7b3c354999e336a4ee7d5a3fadc803fff81c9717eff92b0a8fe83522ffd80b5aa7e0ce695d0ea6add32d982030b34898fcafa32f2023a9aed8bbd

  • SSDEEP

    49152:VOrN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmjWncFf0I74gu3wMc:VE0wGGzBjryX82uypSb9ndo9JCmp

Malware Config

Extracted

Family

orcus

C2

following-s.gl.at.ply.gg:38914

Mutex

41f3efa141e34614a0c4fe5e1092cae0

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee

    • Size

      2.9MB

    • MD5

      5afad0c2ad5b3e6aa2e77756104e3b62

    • SHA1

      f5493d742da9890b6fd60476dd52eee1b1b1c445

    • SHA256

      50c1d2e9ca2c339ee1d4dde094dd9680505bb13cba75c53af408dabbc209ecee

    • SHA512

      cd53233220d7b3c354999e336a4ee7d5a3fadc803fff81c9717eff92b0a8fe83522ffd80b5aa7e0ce695d0ea6add32d982030b34898fcafa32f2023a9aed8bbd

    • SSDEEP

      49152:VOrN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmjWncFf0I74gu3wMc:VE0wGGzBjryX82uypSb9ndo9JCmp

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks