Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
BlitzedGrabberV12exe.exe
-
Size
44.1MB
-
Sample
240107-x2bzhsccen
-
MD5
afefebe0065d4402d31ebc67847a2e76
-
SHA1
c1ff5a5297df7679f69a4f1d91132b41a24f6334
-
SHA256
aaf544958a6ea995d6178f848ec7e52a63d58b2b5374611295c4b52f05140417
-
SHA512
40465f41e358e17dda8c89c25f7cbed806358be56a1f495ced38ba5be1fa07cf00f46c5d56e0142b02152f338c5390633e0080bf0c03bef9afe84b7a57cff2c8
-
SSDEEP
49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK
Static task
static1
Behavioral task
behavioral1
Sample
BlitzedGrabberV12exe.exe
Resource
win7-20231129-en
Malware Config
Extracted
orcus
209.25.141.181:40489
248d60d8a7114264bce951ca45664b1d
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programdata%\Chrome\chromedriver.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
winlogon.exe
-
watchdog_path
AppData\svchost.exe
Targets
-
-
Target
BlitzedGrabberV12exe.exe
-
Size
44.1MB
-
MD5
afefebe0065d4402d31ebc67847a2e76
-
SHA1
c1ff5a5297df7679f69a4f1d91132b41a24f6334
-
SHA256
aaf544958a6ea995d6178f848ec7e52a63d58b2b5374611295c4b52f05140417
-
SHA512
40465f41e358e17dda8c89c25f7cbed806358be56a1f495ced38ba5be1fa07cf00f46c5d56e0142b02152f338c5390633e0080bf0c03bef9afe84b7a57cff2c8
-
SSDEEP
49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-