Overview

overview

10

Static

static

10

tumblr-main/svc.exe

windows7-x64

10

tumblr-main/svc.exe

windows10-2004-x64

10

tumblr-main/svc.exe

windows10-ltsc 2021-x64

10

tumblr-main/svc.exe

windows11-21h2-x64

10

tumblr-mai...st.exe

windows7-x64

10

tumblr-mai...st.exe

windows10-2004-x64

10

tumblr-mai...st.exe

windows10-ltsc 2021-x64

10

tumblr-mai...st.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tumblr-main.zip

  • Size

    2.7MB

  • Sample

    241120-12leqstglc

  • MD5

    0f1c1ddd22a6e887bc885f6fa3111f0c

  • SHA1

    75318eaf63d1a26db516d5d2e3addaea215d9af2

  • SHA256

    64348ec4267b52c1a7f639ccfaf9478b6d5159f796176076650901e5b7c0e1df

  • SHA512

    26a29c1bc4d28cd70a55f441030de90b231df201d52cb6034f28ff1e46816908abe76c0371b66035edd228cf687f9b708183546f10ac9946797056874f038f2c

  • SSDEEP

    49152:mfJeEggRVen7AL7ZsjtC958jmOEw57gpYdQMz5YX98qCVo/x96DLB0wuG4WTMo5j:mfJugysmWAmOXZgOndbKyDlXuGnTn5M2

Score
10/10
orcusxwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

orcus

C2

45.10.151.182:10134

Mutex

064acb3fed56475eaee5e20cdd2d83c3

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    svchost

  • taskscheduler_taskname

    svchost

  • watchdog_path

    AppData\csrss.exe

Extracted

Family

xworm

C2

45.10.151.182:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      tumblr-main/svc.exe

    • Size

      3.0MB

    • MD5

      7a461d8d06c7859b09524ceb0f3d7e4a

    • SHA1

      aa27353c3883ef1ce5728dd0112e79fec7ee2fa6

    • SHA256

      7a080f9390658ba441e845e04644e6e05ef865fdf986e8a2bfeb57dd1e4b7dee

    • SHA512

      22d4fe1a52d16bc45ed5d8cedb8fd98149bb236f2b23f39b37fcd59652e165198180aa7e4a9e2952229a10d9613747485a6891f94ef9019557af39da676aadea

    • SSDEEP

      49152:4i9R1/op1fAZeM9/NtRaO5NYAxC48VYrJAypQxbn32o9JnCmxJWncFfSIH4Duis:4EMtQR9TYW8V0OypSbGo9JCmx

    Score
    10/10
    orcusdiscoverypersistenceratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4

    • Target

      tumblr-main/svchost.exe

    • Size

      54KB

    • MD5

      161f7262ae9a6d95ce0f93e46cc5fcf9

    • SHA1

      164551a9330c19a9ed62b6e7d54c6d247704b5e0

    • SHA256

      73a74ebd5e95700aef901c8771fc4b64a677885f23e15bd67628b38e726f7408

    • SHA512

      63bcc54b5846ec20e65c660054d5f6051f357bf803451bf740d7d27505dcc3497a122d62e62ed966329d5b713b8848300bb5ddd77025a3b53cd0d53a19a4c3ea

    • SSDEEP

      1536:SgkETz/wBd3o3nnJWbdWDc06KVnO/jtg:SGnIcXJWbdWBnO/xg

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks