Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    586ee7a1806b903c8bbd849fac7f084ec49c5cdc10d7dbfb0322a0e8c9ce46e5

  • Size

    912KB

  • Sample

    240108-bhv3dsheak

  • MD5

    7357d6bd692d5f33708fce3f9477a6c5

  • SHA1

    ebc37ee7242f855642e1d8b26eb99b6633954e5b

  • SHA256

    586ee7a1806b903c8bbd849fac7f084ec49c5cdc10d7dbfb0322a0e8c9ce46e5

  • SHA512

    1464c638cc51308c88a0a2f23bfc20dc458b137e9827cdc6e723f8eb465f68e0dfad08a71355f8e3bf8b66d4c0bba0f66cd1f407d46f7f62b6c03fd76ce292da

  • SSDEEP

    24576:HkL94MROxnFe3IdOrrcI0AilFEvxHPWvood:EWMiw9rrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

192.168.1.72:6969

Mutex

5a53ca42f4194cad8f3e25b8b9bf56df

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\WindowsDefender.exe

Targets

    • Target

      586ee7a1806b903c8bbd849fac7f084ec49c5cdc10d7dbfb0322a0e8c9ce46e5

    • Size

      912KB

    • MD5

      7357d6bd692d5f33708fce3f9477a6c5

    • SHA1

      ebc37ee7242f855642e1d8b26eb99b6633954e5b

    • SHA256

      586ee7a1806b903c8bbd849fac7f084ec49c5cdc10d7dbfb0322a0e8c9ce46e5

    • SHA512

      1464c638cc51308c88a0a2f23bfc20dc458b137e9827cdc6e723f8eb465f68e0dfad08a71355f8e3bf8b66d4c0bba0f66cd1f407d46f7f62b6c03fd76ce292da

    • SSDEEP

      24576:HkL94MROxnFe3IdOrrcI0AilFEvxHPWvood:EWMiw9rrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks