Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ez.exe

  • Size

    901KB

  • Sample

    250201-ca533a1kgz

  • MD5

    f49c5572fb615b4744ca0bc95753b1f4

  • SHA1

    cccba90c9673d225e7a583b1ff41100c8ffa22ae

  • SHA256

    11a324a1acdd3d777c54e2bff94d94f48938e1738a9f69cb57082b5d16de064d

  • SHA512

    a6593ea5eb08911942ac1f3fba7b4a2c00193b5b1dfe5b1f28a9bdcd0c87b59893fdf8a211ffb837a74a3346b2e0dd315275e1fc903bf63e5176507c9f8b159b

  • SSDEEP

    12288:78shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBE:o3s4MROxnF9LqrZlI0AilFEvxHi4y

Malware Config

Extracted

Family

orcus

C2

thursday-ultram.gl.at.ply.gg:43140

Mutex

7885de351091420891dddfdf004e931c

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      ez.exe

    • Size

      901KB

    • MD5

      f49c5572fb615b4744ca0bc95753b1f4

    • SHA1

      cccba90c9673d225e7a583b1ff41100c8ffa22ae

    • SHA256

      11a324a1acdd3d777c54e2bff94d94f48938e1738a9f69cb57082b5d16de064d

    • SHA512

      a6593ea5eb08911942ac1f3fba7b4a2c00193b5b1dfe5b1f28a9bdcd0c87b59893fdf8a211ffb837a74a3346b2e0dd315275e1fc903bf63e5176507c9f8b159b

    • SSDEEP

      12288:78shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBE:o3s4MROxnF9LqrZlI0AilFEvxHi4y

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks