Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644

  • Size

    927KB

  • Sample

    240108-blcefshebn

  • MD5

    f362a73a814b9b2d1dd9ed8ce21d2bb7

  • SHA1

    6dcbe83bc29bcd5e312f0c50e635ff6a0318551b

  • SHA256

    1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644

  • SHA512

    2462f5ba76004235218d82f90894bdd23c5276eab2b1b595ae6bee86706c79cdcfe3450f4eaa7448d6efeebdcc7c1e31d705e33c0ee80464a3449d8ae1983232

  • SSDEEP

    24576:/DN4MROxnFE3AO3irrcI0AilFEvxHPpooe:/uMiu1irrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

192.168.219.116:10134

Mutex

9163782c0b5d4ce59451034f03e0345e

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\WSupdate\WSupdate.exe

  • reconnect_delay

    10000

  • registry_keyname

    WSupdate

  • taskscheduler_taskname

    WSupdate

  • watchdog_path

    Temp\WSupdate.exe

Targets

    • Target

      1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644

    • Size

      927KB

    • MD5

      f362a73a814b9b2d1dd9ed8ce21d2bb7

    • SHA1

      6dcbe83bc29bcd5e312f0c50e635ff6a0318551b

    • SHA256

      1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644

    • SHA512

      2462f5ba76004235218d82f90894bdd23c5276eab2b1b595ae6bee86706c79cdcfe3450f4eaa7448d6efeebdcc7c1e31d705e33c0ee80464a3449d8ae1983232

    • SSDEEP

      24576:/DN4MROxnFE3AO3irrcI0AilFEvxHPpooe:/uMiu1irrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks