Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a0aae538ed6845b3d9a3b69372faf03cf785a41e7071fc8f52e523f1f7f216c8

  • Size

    941KB

  • Sample

    240108-bkjr5saeh6

  • MD5

    87b31513e784ff301c72d2e7d3c8c04b

  • SHA1

    be7416f9f942390904c7d540d110a38cffdcf645

  • SHA256

    a0aae538ed6845b3d9a3b69372faf03cf785a41e7071fc8f52e523f1f7f216c8

  • SHA512

    cce552b678a50837174de14dfcb0f5d6d9304462e7d6b74dbfe655bd38ca99536a930def9bbdeee5548e041497394ddf6303c888c7f9138229991d40eb90294c

  • SSDEEP

    24576:rAhZbW7uK6ywJPApFDKZHxieg5s7LN/iMj4NiN:YZbk6ywJPALOFg5sFiMj4NiN

Malware Config

Extracted

Family

orcus

C2

nonamedc.mcv.kr:8080

Mutex

fcca7214f2cf43aa90403230957e4103

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      a0aae538ed6845b3d9a3b69372faf03cf785a41e7071fc8f52e523f1f7f216c8

    • Size

      941KB

    • MD5

      87b31513e784ff301c72d2e7d3c8c04b

    • SHA1

      be7416f9f942390904c7d540d110a38cffdcf645

    • SHA256

      a0aae538ed6845b3d9a3b69372faf03cf785a41e7071fc8f52e523f1f7f216c8

    • SHA512

      cce552b678a50837174de14dfcb0f5d6d9304462e7d6b74dbfe655bd38ca99536a930def9bbdeee5548e041497394ddf6303c888c7f9138229991d40eb90294c

    • SSDEEP

      24576:rAhZbW7uK6ywJPApFDKZHxieg5s7LN/iMj4NiN:YZbk6ywJPALOFg5sFiMj4NiN

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks