Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b7bcc2956573b5bb7847d280edca2134d50781c43305904c6c5c5d327631516e

  • Size

    3.0MB

  • Sample

    231216-bjlkcahggk

  • MD5

    f1079cd53751a4d8092a532c07f8e837

  • SHA1

    d8bb9b8e4c54d50385054bf4367702429aeda7bd

  • SHA256

    b7bcc2956573b5bb7847d280edca2134d50781c43305904c6c5c5d327631516e

  • SHA512

    1417a0f109d56d97475304ca690ea6a4e71b7f5937dc5c7b355e1a172ab0e375cd0eb0ecbf297c7d9f4703c81338b5b6ce01bded0090d9f568bf8da80b9b0ab8

  • SSDEEP

    49152:5GPEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmBrrzIu:5CtODUKTslWp2MpbfGGilIJPypSbxEor

Malware Config

Extracted

Family

orcus

Botnet

KLauncher

C2

5.tcp.eu.ngrok.io:17730

Mutex

da69058839134507b85e2e9518dddfb4

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      b7bcc2956573b5bb7847d280edca2134d50781c43305904c6c5c5d327631516e

    • Size

      3.0MB

    • MD5

      f1079cd53751a4d8092a532c07f8e837

    • SHA1

      d8bb9b8e4c54d50385054bf4367702429aeda7bd

    • SHA256

      b7bcc2956573b5bb7847d280edca2134d50781c43305904c6c5c5d327631516e

    • SHA512

      1417a0f109d56d97475304ca690ea6a4e71b7f5937dc5c7b355e1a172ab0e375cd0eb0ecbf297c7d9f4703c81338b5b6ce01bded0090d9f568bf8da80b9b0ab8

    • SSDEEP

      49152:5GPEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmBrrzIu:5CtODUKTslWp2MpbfGGilIJPypSbxEor

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

MITRE ATT&CK Matrix

Tasks