Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Orcus swapper.exe
-
Size
901KB
-
Sample
250201-cc95sstjaj
-
MD5
c1550485609b58f6c391723124e44983
-
SHA1
a8f215ac5ab3c38639d2b79e871ba470b5184528
-
SHA256
2440ed39a2aa011fde6337c3cb2b9cc6554a16318fce7180adc8c18d7076f3ae
-
SHA512
e6cb0f54f0695e58e8e34eb9e13be2ab759bf12390ba1567afb790094f968a1ddd83e35981c6c80ef41ba2ebbf14ff134efe023a5049b989777476cf8ad08e98
-
SSDEEP
12288:XTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBG:zqI4MROxnFMLqrZlI0AilFEvxHiTL
Malware Config
Extracted
orcus
thursday-ultram.gl.at.ply.gg:43140
83da8ce021af464fa24cc00b09ce1f30
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
Orcus swapper.exe
-
Size
901KB
-
MD5
c1550485609b58f6c391723124e44983
-
SHA1
a8f215ac5ab3c38639d2b79e871ba470b5184528
-
SHA256
2440ed39a2aa011fde6337c3cb2b9cc6554a16318fce7180adc8c18d7076f3ae
-
SHA512
e6cb0f54f0695e58e8e34eb9e13be2ab759bf12390ba1567afb790094f968a1ddd83e35981c6c80ef41ba2ebbf14ff134efe023a5049b989777476cf8ad08e98
-
SSDEEP
12288:XTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBG:zqI4MROxnFMLqrZlI0AilFEvxHiTL
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-