orcus | tumblr-main[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

tumblr-main.zip
Size

2.7MB
MD5

0f1c1ddd22a6e887bc885f6fa3111f0c
SHA1

75318eaf63d1a26db516d5d2e3addaea215d9af2
SHA256

64348ec4267b52c1a7f639ccfaf9478b6d5159f796176076650901e5b7c0e1df
SHA512

26a29c1bc4d28cd70a55f441030de90b231df201d52cb6034f28ff1e46816908abe76c0371b66035edd228cf687f9b708183546f10ac9946797056874f038f2c
SSDEEP

49152:mfJeEggRVen7AL7ZsjtC958jmOEw57gpYdQMz5YX98qCVo/x96DLB0wuG4WTMo5j:mfJugysmWAmOXZgOndbKyDlXuGnTn5M2

Score

10^/10

orcus xworm

Malware Config

Extracted

Family

orcus

45.10.151.182:10134

Mutex

064acb3fed56475eaee5e20cdd2d83c3

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\svchost.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchost
watchdog_path
AppData\csrss.exe

Extracted

Family

xworm

45.10.151.182:7000

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/tumblr-main/svchost.exe	family_xworm

Orcurs Rat Executable 1 IoCs

resource	yara_rule
static1/unpack001/tumblr-main/svc.exe	orcus

Orcus family
orcus
Xworm family
xworm

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/tumblr-main/svc.exe
unpack001/tumblr-main/svchost.exe

Files

tumblr-main.zip
.zip
tumblr-main/.gitignore
tumblr-main/README.md
tumblr-main/composer.json
tumblr-main/src/Api/Client.php
tumblr-main/src/Auth/OAuth.php
tumblr-main/svc.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
tumblr-main/svchost.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
tumblr-main/tests/Api/ClientTest.php
tumblr-main/tests/Auth/OAuthTest.php

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 3.0MB - Virtual size: 3.0MB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 52KB - Virtual size: 51KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 3.0MB - Virtual size: 3.0MB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 52KB - Virtual size: 51KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B