Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d11c014cf97dadb85417c2ecf4c6b0167aba8d3b37f5fe5c877521382503c254

  • Size

    924KB

  • Sample

    240106-bdngradgan

  • MD5

    7c0c55ab2b8634065d799ac812fdb831

  • SHA1

    e1a4e04f6ea91634afe052b35ab5d0073cf7f717

  • SHA256

    d11c014cf97dadb85417c2ecf4c6b0167aba8d3b37f5fe5c877521382503c254

  • SHA512

    20de34e7fdf711c9ec3ce80ee67e185dacd138d5af8952769df6591cd5e2a4de3dd383f7cbf06c8f3b696eea3b9ccff76a69d795cdfc9dda8957de89dbce8bfd

  • SSDEEP

    24576:CmHR4MROxnFE3kO3zrrcI0AilFEvxHP7oog:luMiuBzrrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

Botnet

Shield

C2

127.0.0.1:10134

Mutex

d3ab246458c8472c849979744c54e1dc

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    System

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      d11c014cf97dadb85417c2ecf4c6b0167aba8d3b37f5fe5c877521382503c254

    • Size

      924KB

    • MD5

      7c0c55ab2b8634065d799ac812fdb831

    • SHA1

      e1a4e04f6ea91634afe052b35ab5d0073cf7f717

    • SHA256

      d11c014cf97dadb85417c2ecf4c6b0167aba8d3b37f5fe5c877521382503c254

    • SHA512

      20de34e7fdf711c9ec3ce80ee67e185dacd138d5af8952769df6591cd5e2a4de3dd383f7cbf06c8f3b696eea3b9ccff76a69d795cdfc9dda8957de89dbce8bfd

    • SSDEEP

      24576:CmHR4MROxnFE3kO3zrrcI0AilFEvxHP7oog:luMiuBzrrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks