General
-
Target
77c7d93af82e198e1b9747ba69201d9b
-
Size
1.0MB
-
Sample
240126-te3xyahcb8
-
MD5
77c7d93af82e198e1b9747ba69201d9b
-
SHA1
ca556d4b31b9b0249556f8677837349025d66f1d
-
SHA256
ef6c7b15e6b1f50e1f6095866b38752bb579c7b3db0cd16bcfe98168a49694ed
-
SHA512
c1ac7c068ddc385ab701c3a7e516453539070223360c7cec0b7a97f909fcce296d0b20d55d5d8446a635ce3c0e4f4a2e49f92d580b06f2dff969e7fa186f1e69
-
SSDEEP
24576:DsnlzLQ/n6Gk7iUZOxEIHrjpisuPj19rpTyEfFn8NBVxMGlw:DslgwuEILNipGAFnoBZlw
Static task
static1
Behavioral task
behavioral1
Sample
Xray/X-Ray.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Xray/X-Ray.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Xray/Xray.exe
Resource
win7-20231129-en
Malware Config
Extracted
orcus
X-Ray
84.211.45.112:1085
2df7378048d342cd973fd1b9a4443c5b
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Windows
-
taskscheduler_taskname
Windows Audio
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
Xray/X-Ray.dll
-
Size
13KB
-
MD5
bedf2fd3ae2d7aede5f561fec0fbd068
-
SHA1
5ea14d9a83e937f6cd2737e12764bab1583b88b3
-
SHA256
5d39f2f72dd0bccc6dfb6e193cb9d857126822af77d8481295fbcda863d38a61
-
SHA512
bd698f0d081b3160cb357bd172c4da20df151dcbac6f4ec98ab6eb3a1baea2937bd219cc56d972d72111fd5ec47da85e7358877702277177f32eb96a9c46c0b1
-
SSDEEP
192:oUG1JOVPbkgS8EosdO6XvhF08SKp8stYcFASVc03KY:AoVPbkgx+dO6Xv//pptYcFASVc03K
Score1/10 -
-
-
Target
Xray/Xray.exe
-
Size
1.2MB
-
MD5
f5e40c12c971ed8b0bf3ad8945654905
-
SHA1
5082c10a069b4f2cc882a5ed2e934b752f4e2a67
-
SHA256
80280a9b20ac639d841b002238a66bcddeef930e668005da8fc5e2505c577b67
-
SHA512
7525928dbfedcc0299e0d1f0068d5b942f815e04126ea1b87fc8955016e2e6961f7e07691700c9785fcecb18a21df0fdf97a936d9692613ba1ecc242d14c9372
-
SSDEEP
12288:gHiLvYSTmLXRzFQwiCXADp9r9sNSoTDCVUjN0ZsCagWdBswgcp4oA+vpDQp5go+1:Z6rRZwXDiXdp0ggWv6oACp47MQ7u
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-