Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017

  • Size

    921KB

  • Sample

    240108-blmkeshebp

  • MD5

    9ff549c7a1a5a8f0762cf2d9257d8125

  • SHA1

    d7c38c4dff352e61d426a1a897047e7ea5a43624

  • SHA256

    c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017

  • SHA512

    f2cfebf1a0f26fc3e18b818b731c69c4e9899d1d1281b4c4a0ae53432960587f6ad2ec7785c115534a137d80ef4f3046a0641b594ad871738b228b4948a04a17

  • SSDEEP

    24576:/kL94MROxnF43Ac9rrcI0AilFEvxHPioop:cWMiG3rrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

192.168.1.72:6969

Mutex

ca3b5495a0294735a710f7cfa066ad39

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017

    • Size

      921KB

    • MD5

      9ff549c7a1a5a8f0762cf2d9257d8125

    • SHA1

      d7c38c4dff352e61d426a1a897047e7ea5a43624

    • SHA256

      c3f56f3b1474382dfde9812d111bc27444b1641af7ba6e63a6758bb3edf6a017

    • SHA512

      f2cfebf1a0f26fc3e18b818b731c69c4e9899d1d1281b4c4a0ae53432960587f6ad2ec7785c115534a137d80ef4f3046a0641b594ad871738b228b4948a04a17

    • SSDEEP

      24576:/kL94MROxnF43Ac9rrcI0AilFEvxHPioop:cWMiG3rrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks