Overview

overview

10

Static

static

10

ExeraLoader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-02-2025 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExeraLoader.exe

  • Size

    3.0MB

  • MD5

    967a76406b833408269300b470cba1d7

  • SHA1

    1988b2f59f9dcc09035ba413d1a81f724ce6d727

  • SHA256

    226ec253ffea4cf694beead5ee591540a056fbf423bdf39f7f1ce7f17241aa79

  • SHA512

    1d36400a043c30f0f76e117287a2a05d0dedb322ab1a38db8e4990c155ccf14f60a54f81ae4860f6b4e35a411d9ea15388b3c2cfd3ef81bb5673d2c362200dd2

  • SSDEEP

    49152:Cs7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpau/nRFfjI7L0qb:CsHTPJg8z1mKnypSbRxo9JCm

Score
10/10
orcusexeradbddiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

ExeraDBD

C2

31.44.184.52:57581

Mutex

sudo_cphi4rohn8s06p230o7ave0vlq6yznce

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\linelinux\protectgeo.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExeraLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\ExeraLoader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
      "C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
          PID:316
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
          3⤵
            PID:3424
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1320
      • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
        C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
          2⤵
            PID:4516
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2444
        • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
          C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:640
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            2⤵
              PID:4408
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
              2⤵
                PID:3056
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                2⤵
                  PID:3160
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2552
              • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
                C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
                1⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4560
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /4
                1⤵
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1636
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                1⤵
                  PID:1444
                • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
                  C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
                  1⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2312
                • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
                  C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
                  1⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3760

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\protectgeo.exe.log
                  Filesize

                  1KB

                  MD5

                  663b8d5469caa4489d463aa9bc18124f

                  SHA1

                  e57123a7d969115853ea631a3b33826335025d28

                  SHA256

                  7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

                  SHA512

                  45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\lib_sudo_cphi4rohn8s06p230o7ave0vlq6yznce\SharpDX.DXGI.dll
                  Filesize

                  125KB

                  MD5

                  2b44c70c49b70d797fbb748158b5d9bb

                  SHA1

                  93e00e6527e461c45c7868d14cf05c007e478081

                  SHA256

                  3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf

                  SHA512

                  faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\lib_sudo_cphi4rohn8s06p230o7ave0vlq6yznce\SharpDX.Direct3D11.dll
                  Filesize

                  271KB

                  MD5

                  98eb5ba5871acdeaebf3a3b0f64be449

                  SHA1

                  c965284f60ef789b00b10b3df60ee682b4497de3

                  SHA256

                  d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c

                  SHA512

                  a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\lib_sudo_cphi4rohn8s06p230o7ave0vlq6yznce\SharpDX.Direct3D9.dll
                  Filesize

                  338KB

                  MD5

                  934da0e49208d0881c44fe19d5033840

                  SHA1

                  a19c5a822e82e41752a08d3bd9110db19a8a5016

                  SHA256

                  02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7

                  SHA512

                  de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\lib_sudo_cphi4rohn8s06p230o7ave0vlq6yznce\SharpDX.dll
                  Filesize

                  247KB

                  MD5

                  ffb4b61cc11bec6d48226027c2c26704

                  SHA1

                  fa8b9e344accbdc4dffa9b5d821d23f0716da29e

                  SHA256

                  061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

                  SHA512

                  48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\lib_sudo_cphi4rohn8s06p230o7ave0vlq6yznce\TurboJpegWrapper.dll
                  Filesize

                  1.3MB

                  MD5

                  ac6acc235ebef6374bed71b37e322874

                  SHA1

                  a267baad59cd7352167636836bad4b971fcd6b6b

                  SHA256

                  047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96

                  SHA512

                  72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\lib_sudo_cphi4rohn8s06p230o7ave0vlq6yznce\x86\turbojpeg.dll
                  Filesize

                  646KB

                  MD5

                  82898ed19da89d7d44e280a3ced95e9b

                  SHA1

                  eec0af5733c642eac8c5e08479f462d1ec1ed4db

                  SHA256

                  5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29

                  SHA512

                  ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe
                  Filesize

                  3.0MB

                  MD5

                  967a76406b833408269300b470cba1d7

                  SHA1

                  1988b2f59f9dcc09035ba413d1a81f724ce6d727

                  SHA256

                  226ec253ffea4cf694beead5ee591540a056fbf423bdf39f7f1ce7f17241aa79

                  SHA512

                  1d36400a043c30f0f76e117287a2a05d0dedb322ab1a38db8e4990c155ccf14f60a54f81ae4860f6b4e35a411d9ea15388b3c2cfd3ef81bb5673d2c362200dd2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\linelinux\protectgeo.exe.config
                  Filesize

                  357B

                  MD5

                  a2b76cea3a59fa9af5ea21ff68139c98

                  SHA1

                  35d76475e6a54c168f536e30206578babff58274

                  SHA256

                  f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

                  SHA512

                  b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

                  Download Submit

                • memory/1320-91-0x00000000057C0000-0x00000000057E6000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/1320-65-0x0000000008630000-0x0000000008680000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/1320-84-0x0000000006DA0000-0x0000000006DFA000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/1320-98-0x0000000008920000-0x0000000008A74000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/1320-77-0x0000000005810000-0x000000000585A000-memory.dmp

                  Filesize

                  296KB

                  Download

                • memory/1320-104-0x00000000660C0000-0x000000006614F000-memory.dmp

                  Filesize

                  572KB

                  Download

                • memory/1320-70-0x0000000006D50000-0x0000000006D94000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/1320-105-0x0000000005110000-0x0000000005126000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/1320-106-0x0000000005800000-0x000000000580C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1320-57-0x0000000007AF0000-0x0000000008108000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/1320-39-0x0000000006010000-0x0000000006028000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/1320-40-0x00000000060A0000-0x00000000060B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1320-41-0x0000000006CD0000-0x0000000006CDA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1320-42-0x0000000007460000-0x00000000074C6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1320-63-0x0000000007710000-0x000000000771E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1320-62-0x0000000008110000-0x00000000082D2000-memory.dmp

                  Filesize

                  1.8MB

                  Download

                • memory/1320-61-0x0000000007730000-0x000000000783A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1320-60-0x00000000075A0000-0x00000000075EC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/1320-59-0x0000000007560000-0x000000000759C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/1320-58-0x0000000007500000-0x0000000007512000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1636-49-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-43-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-51-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-50-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-54-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-55-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-53-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-52-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-44-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1636-45-0x000002911A8D0000-0x000002911A8D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2576-7-0x00000000054C0000-0x00000000054D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2576-0-0x000000007488E000-0x000000007488F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2576-1-0x0000000000430000-0x000000000072E000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2576-2-0x0000000005090000-0x000000000509E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2576-3-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2576-4-0x0000000005300000-0x000000000535C000-memory.dmp

                  Filesize

                  368KB

                  Download

                • memory/2576-5-0x00000000059F0000-0x0000000005F94000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/2576-6-0x00000000054E0000-0x0000000005572000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/2576-23-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4440-24-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4440-25-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4440-26-0x0000000005A40000-0x0000000005A8E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/4440-28-0x00000000063B0000-0x000000000644C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/4440-32-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4880-36-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4880-31-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download