Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c7b04d4dc2618a3c72948baf64ff1eb0357862f543ac411d753ca8dcc1f2803c

  • Size

    940KB

  • Sample

    231226-bdqxwagabk

  • MD5

    eb910347e492043c4dda505b3e1e0965

  • SHA1

    e8a8f7d6d0626368c3e8965a15376eda90e57c0e

  • SHA256

    c7b04d4dc2618a3c72948baf64ff1eb0357862f543ac411d753ca8dcc1f2803c

  • SHA512

    2a858ef51b8accbc848da654eacd5f1fda33332afa88f47b62cc43e97f075e3299a9f25253c10345db125322b686a99d8a975dd89bd10d86f8a724196eee3a4a

  • SSDEEP

    24576:/qJJm85OtTmbOYBD+/ZjF2D0caOHqQ1G70jqtvnn01:/oOdmbRyuaOdG7p/

Malware Config

Extracted

Family

orcus

Botnet

Default

C2

192.168.178.77:10134

Mutex

2702b7bef9454d4d80581f7c64271b9c

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Winrer\winrer.exe

  • reconnect_delay

    10000

  • registry_keyname

    servinhost

  • taskscheduler_taskname

    winreg

  • watchdog_path

    AppData\scvbost.exe

Targets

    • Target

      c7b04d4dc2618a3c72948baf64ff1eb0357862f543ac411d753ca8dcc1f2803c

    • Size

      940KB

    • MD5

      eb910347e492043c4dda505b3e1e0965

    • SHA1

      e8a8f7d6d0626368c3e8965a15376eda90e57c0e

    • SHA256

      c7b04d4dc2618a3c72948baf64ff1eb0357862f543ac411d753ca8dcc1f2803c

    • SHA512

      2a858ef51b8accbc848da654eacd5f1fda33332afa88f47b62cc43e97f075e3299a9f25253c10345db125322b686a99d8a975dd89bd10d86f8a724196eee3a4a

    • SSDEEP

      24576:/qJJm85OtTmbOYBD+/ZjF2D0caOHqQ1G70jqtvnn01:/oOdmbRyuaOdG7p/

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks