Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644
-
Size
927KB
-
Sample
240108-blcefshebn
-
MD5
f362a73a814b9b2d1dd9ed8ce21d2bb7
-
SHA1
6dcbe83bc29bcd5e312f0c50e635ff6a0318551b
-
SHA256
1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644
-
SHA512
2462f5ba76004235218d82f90894bdd23c5276eab2b1b595ae6bee86706c79cdcfe3450f4eaa7448d6efeebdcc7c1e31d705e33c0ee80464a3449d8ae1983232
-
SSDEEP
24576:/DN4MROxnFE3AO3irrcI0AilFEvxHPpooe:/uMiu1irrcI0AilFEvxHP
Behavioral task
behavioral1
Sample
1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
orcus
192.168.219.116:10134
9163782c0b5d4ce59451034f03e0345e
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\WSupdate\WSupdate.exe
-
reconnect_delay
10000
-
registry_keyname
WSupdate
-
taskscheduler_taskname
WSupdate
-
watchdog_path
Temp\WSupdate.exe
Targets
-
-
Target
1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644
-
Size
927KB
-
MD5
f362a73a814b9b2d1dd9ed8ce21d2bb7
-
SHA1
6dcbe83bc29bcd5e312f0c50e635ff6a0318551b
-
SHA256
1fea1ccd5eb2cfa5295d7bb3058ba4c36b6b6c71c75101b2950345876f5f7644
-
SHA512
2462f5ba76004235218d82f90894bdd23c5276eab2b1b595ae6bee86706c79cdcfe3450f4eaa7448d6efeebdcc7c1e31d705e33c0ee80464a3449d8ae1983232
-
SSDEEP
24576:/DN4MROxnFE3AO3irrcI0AilFEvxHPpooe:/uMiu1irrcI0AilFEvxHP
Score10/10-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-