Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ac9b33b420e2e43dd32353bfdbd518be729cd01f94e6c554acc806c53bbf9d74

  • Size

    736KB

  • Sample

    240106-bjz3qsfba4

  • MD5

    d88135b74e35c0b2aa91391ee597d614

  • SHA1

    4bf900382fbf95759ccf9840598c7860bdcc707b

  • SHA256

    ac9b33b420e2e43dd32353bfdbd518be729cd01f94e6c554acc806c53bbf9d74

  • SHA512

    2ca521926b1a5525fc3553a82a8ed60db98be27a9bb4143e53b3f56ac2ade9a772cd47768862b1dedf021618c8d8b52d295ed934bdf940c1a38cae0af3c0785d

  • SSDEEP

    12288:QHLVtkrlboSQwLNZtH+ktfzX2EyZ4cCDaQhyOxbQukcHTBwla8Ts8pMzQVu:6Ra5bvQ8NvHLJX2ZhYhQsdwBqQVu

Malware Config

Extracted

Family

orcus

C2

10.0.2.15:4444

Mutex

afe4268b3e1340c8b922890ff0856cb0

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    explorer

  • taskscheduler_taskname

    java

  • watchdog_path

    AppData\java.exe

Targets

    • Target

      ac9b33b420e2e43dd32353bfdbd518be729cd01f94e6c554acc806c53bbf9d74

    • Size

      736KB

    • MD5

      d88135b74e35c0b2aa91391ee597d614

    • SHA1

      4bf900382fbf95759ccf9840598c7860bdcc707b

    • SHA256

      ac9b33b420e2e43dd32353bfdbd518be729cd01f94e6c554acc806c53bbf9d74

    • SHA512

      2ca521926b1a5525fc3553a82a8ed60db98be27a9bb4143e53b3f56ac2ade9a772cd47768862b1dedf021618c8d8b52d295ed934bdf940c1a38cae0af3c0785d

    • SSDEEP

      12288:QHLVtkrlboSQwLNZtH+ktfzX2EyZ4cCDaQhyOxbQukcHTBwla8Ts8pMzQVu:6Ra5bvQ8NvHLJX2ZhYhQsdwBqQVu

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks