Overview

overview

10

Static

static

10

tumblr-main/svc.exe

windows7-x64

10

tumblr-mai...st.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tumblr-main.zip

  • Size

    2.7MB

  • Sample

    241120-1286ssvfml

  • MD5

    0f1c1ddd22a6e887bc885f6fa3111f0c

  • SHA1

    75318eaf63d1a26db516d5d2e3addaea215d9af2

  • SHA256

    64348ec4267b52c1a7f639ccfaf9478b6d5159f796176076650901e5b7c0e1df

  • SHA512

    26a29c1bc4d28cd70a55f441030de90b231df201d52cb6034f28ff1e46816908abe76c0371b66035edd228cf687f9b708183546f10ac9946797056874f038f2c

  • SSDEEP

    49152:mfJeEggRVen7AL7ZsjtC958jmOEw57gpYdQMz5YX98qCVo/x96DLB0wuG4WTMo5j:mfJugysmWAmOXZgOndbKyDlXuGnTn5M2

Score
10/10
orcusxwormratspywarestealertrojan

Malware Config

Extracted

Family

orcus

C2

45.10.151.182:10134

Mutex

064acb3fed56475eaee5e20cdd2d83c3

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    svchost

  • taskscheduler_taskname

    svchost

  • watchdog_path

    AppData\csrss.exe

Extracted

Family

xworm

C2

45.10.151.182:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      tumblr-main/svc.exe

    • Size

      3.0MB

    • MD5

      7a461d8d06c7859b09524ceb0f3d7e4a

    • SHA1

      aa27353c3883ef1ce5728dd0112e79fec7ee2fa6

    • SHA256

      7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

    • SHA512

      22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea

    • SSDEEP

      49152:4i9R1/op1fAZeM9/NtRaO5NYAxC48VYrJAypQxbn32o9JnCmxJWncFfSIH4Duis:4EMtQR9TYW8V0OypSbGo9JCmx

    Score
    10/10
    orcusratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcurs Rat Executable

    behavioral1

    • Target

      tumblr-main/svchost.exe

    • Size

      54KB

    • MD5

      161f7262ae9a6d95ce0f93e46cc5fcf9

    • SHA1

      164551a9330c19a9ed62b6e7d54c6d247704b5e0

    • SHA256

      73a74ebd5e95700aef901c8771fc4b64a677885f23e15bd67628b38e726f7408

    • SHA512

      63bcc54b5846ec20e65c660054d5f6051f357bf803451bf740d7d27505dcc3497a122d62e62ed966329d5b713b8848300bb5ddd77025a3b53cd0d53a19a4c3ea

    • SSDEEP

      1536:SgkETz/wBd3o3nnJWbdWDc06KVnO/jtg:SGnIcXJWbdWBnO/xg

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm
    behavioral2

MITRE ATT&CK Matrix

Tasks