Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    BlitzedGrabberV12exe.exe

  • Size

    44.1MB

  • Sample

    240107-x2bzhsccen

  • MD5

    afefebe0065d4402d31ebc67847a2e76

  • SHA1

    c1ff5a5297df7679f69a4f1d91132b41a24f6334

  • SHA256

    aaf544958a6ea995d6178f848ec7e52a63d58b2b5374611295c4b52f05140417

  • SHA512

    40465f41e358e17dda8c89c25f7cbed806358be56a1f495ced38ba5be1fa07cf00f46c5d56e0142b02152f338c5390633e0080bf0c03bef9afe84b7a57cff2c8

  • SSDEEP

    49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK

Malware Config

Extracted

Family

orcus

C2

209.25.141.181:40489

Mutex

248d60d8a7114264bce951ca45664b1d

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programdata%\Chrome\chromedriver.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    winlogon.exe

  • watchdog_path

    AppData\svchost.exe

Targets

    • Target

      BlitzedGrabberV12exe.exe

    • Size

      44.1MB

    • MD5

      afefebe0065d4402d31ebc67847a2e76

    • SHA1

      c1ff5a5297df7679f69a4f1d91132b41a24f6334

    • SHA256

      aaf544958a6ea995d6178f848ec7e52a63d58b2b5374611295c4b52f05140417

    • SHA512

      40465f41e358e17dda8c89c25f7cbed806358be56a1f495ced38ba5be1fa07cf00f46c5d56e0142b02152f338c5390633e0080bf0c03bef9afe84b7a57cff2c8

    • SSDEEP

      49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks