{"id":3978,"date":"2022-11-03T06:00:36","date_gmt":"2022-11-03T06:00:36","guid":{"rendered":"\/cybersecurity-blog\/?p=3048"},"modified":"2023-03-27T13:57:30","modified_gmt":"2023-03-27T13:57:30","slug":"orcus-rat-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/","title":{"rendered":"What is Orcus RAT? Technical Analysis and Malware Configuration"},"content":{"rendered":"\n<p>Our malware analysts are always on the lookout for and researching various malicious samples. This time we came across Orcus RAT in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=orcus&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ANY.RUN online malware sandbox<\/a> and decided to perform a technical malware analysis. In this article, you will learn how this RAT stores and protects its configuration and how to write the memory dump extractor in Python.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is Orcus RAT?<\/h2>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/malware-trends\/orcus?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=orcus&amp;utm_content=mtt\" target=\"_blank\">Orcus<\/a> is a Remote Access Trojan with some distinctive processes. The RAT allows attackers to create plugins and offers a robust core feature set that makes it quite a dangerous malicious program in its class.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"841\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic.jpg\" alt=\"\" class=\"wp-image-4060\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic.jpg 841w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic-300x209.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic-768x536.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic-370x258.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic-270x188.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic-570x398.jpg 570w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2022\/11\/Orcus-RAT-infographic-740x517.jpg 740w\" sizes=\"(max-width: 841px) 100vw, 841px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Orcus RAT malware analysis<\/h2>\n\n\n\n<p>The sample for the <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-do-malware-analysis-infographic\/\" target=\"_blank\">malware analysis<\/a> has been obtained from the <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/submissions?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=orcus&amp;utm_content=submissions\" target=\"_blank\">ANY.RUN database<\/a>. You can find it and follow along:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td>SHA-256<\/td><td>258a75a4dee6287ea6d15ad7b50b35ac478c156f0d8ebfc978c6bbbbc4d441e1<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>We downloaded the Orcus RAT sample and opened it in DiE to get basic information:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/qVydFyGaOG0q1TGx-NTW0GOhN0er_hRGT23SH1wuyPvc2OkZxrp3NK4uq8eRrS3vNf33Fh76F6vo_8EJRaBm8xS_GmrBQ8cQt0ykY7WmwNKZucKWBpbDe89H3uKMuZy_eQjz-_00qWUwj7CADPcxgj9jSb229WKY4GEU1YpeXG3SDr4sBZTvx-S7Pw\" alt=\"Sample overview in DiE\"\/><\/figure>\n\n\n\n<p>The DiE results show that we are dealing with a .NET sample. And it\u2019s high time to start malware analysis of Orcus. For this matter, DnSpy comes in handy.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/vl0O0q9drKbVuzHqntUemiQtrLfspsSMa7nUfYmsFMeO3hxw8Sjvr77K1cnGZzDPgk-uM5ASjHkvyxqrXhtvkB8RFh3iiqu-jxv4lCcwvp7ZQ-2yev9Bn9tyxW_8vF0ECDBGX7phZlg4RIJnV76QsHTumfbSNXRBGKszOyvnAyobpag320HEZHcJxg\" alt=\"Sample overview in DnSpy\n\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Orcus RAT classes overview<\/h3>\n\n\n\n<p>Our primary research goal is to find the RAT configuration. The first destination point is malware classes. While going through them, we bump into a namespace called Orcus.Config, and it contains the following classes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Consts <\/strong>include information about the different files and directories that Orcus RAT uses. For example, the path to the file where user keystrokes are saved or to the directory where the plugins used by a sample reside.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/iwODqADB4rb-6-bDI4qmjeTRNZanNrzKzjrqPBJixmfdNPvWr8fghiLMopuKFovkM3WWa5UFMLFheYrJrGKWt5JwTKHKg1VXFjJXw-IhEps0wuZ8kVS2A7Xzl72V883FhfsWKC484Yie12oPIqCDyFDAKdnB84KUcdSc2ncVIPy2xTcwBXfypG-7PQ\" alt=\"Orcus.Config.Consts class overview in DnSpy\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Settings <\/strong>contain wrapper methods for decrypting the malware configuration and its plugins.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/xvfyp2_k_C_0-mbw4ANrpYFoPWcQrDfLKXc9M-Yia-UT1hM0AnLD5kB77EZzZ2cwGs0pbUHukwRnHLrUOAdP7CUcWI1m88RG8isdOrtJnxVROGN3CwtOXfjZQnThuWxIVUvK3dXd8ubTPowJFt8pkMjkqoGyaU4Pa0ZeBpCuch72bCs_Dftjqs9GGQ\" alt=\"Orcus.Config.Settings class overview in DnSpy\n\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SettingsData <\/strong>is a static class only with the encrypted malware and plugin configuration fields.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/PfaCQcTuAFnSiCMz8S4kPyfIQz90ApQYQDKJhYYHeIrma2JexQmEg7WVVxKnjEH6xg1iGZIVdBg2OB4VwJFkcY9dRHcQwnDkGmFs3i5i-0IENs9_iBEA2uMicrAjeQTaJlBOgegSwDdcqU0G4H0FnY7dvwkSk34yZpzWIGduIifqHDkGweWhBFHttA\" alt=\"Orcus.Config.SettingsData class overview in DnSpy\n\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Orcus malware resources<\/h3>\n\n\n\n<p>Inside the <strong>Settings<\/strong> class, we see the <strong>GetDecryptedSettings<\/strong> method. Later, it calls out the <strong>AES.Decrypt<\/strong>. After noticing it, we can suppose that the AES algorithm encrypts the malware configuration:<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/meW9KBs4mVe7jt1k_xOxVNZOA_gyuvf7GuaDyiH9BrY0fs-1RYl9Ro1fqui3FVwwFBfRmUMxrZa6lJCTyIaTXhKYZcAkWwTWB0AvkRjSDPTEtPnKurVPNiwqhMvm7N5dYVtb1wPSctTuUlJXRzGv-LtgkMfCSO4qQWhKs8Vv1hjwY1Bbjff39m87Xg\" alt=\"GetDecryptedSettings method\n\" width=\"844\" height=\"177\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>AES<\/strong> class is imported from the <strong>Orcus.Shared.Encryption<\/strong>. The only problem is that the assembly doesn\u2019t contain such a namespace. To find it, we can go to the Orcus RAT resources:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/hHx3ov3_XMJLZ17lGcQkmRslkaGkUa7pktzz4ytlvKPYfFfr3rX_JOepmZAN8mX3Qbi1xH12s4gkzSr8AhlwEQ_4qrIH0U4L60ETc3h6IouAL7kO97TWaLhF7ksrI2floLgLrT1ZrCv--tjrB72N88ba8ubSarJ2OcwolMUpGMlxkEki5T3N2_JmtQ\" alt=\"Orcus resources revealed in DnSpy\n\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We seem to have found an assembly <strong>orcus.shared.<\/strong> But what is this <strong>costura<\/strong> prefix? And why is the assembly stored with a .zip extension? We extracted this resource and tried to unpack it. Unfortunately, it was a miss \u2013 despite the .zip extension, this resource is not an archive.<br><\/p>\n\n\n\n<p>Realizing that, at some point, this assembly must be loaded into the application, we make a decision to look for another place where this happens. Of course, keeping that strange costura prefix in mind. And it didn&#8217;t take us long \u2013 we have found the <strong>Costura<\/strong> namespace that contains the <strong>AssemblyLoader<\/strong> class. It is supposed to load the assemblies packed in Orcus resources.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/_MiZO382GgQ--QoweZFMOhGfomgrCyfgMkEkASo7EWtTGX6WMiMY1bVxupipM2QUFPkBsyl5vZjXTfEMJFpKPYII7HkYihj1F81VQZVCcTr4eIsIPSR4tL54C3bEt01miFxIq9CcKiLyDwiH-HjqaLlfmfItejcBLM9qHy3ttbJR0c_p7gaMv48ejw\" alt=\"AssemblyLoader class of Costura packer\n\"\/><\/figure>\n\n\n\n<p>Inside the AssemblyLoader class, we have caught how assemblies are loaded from resources:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/R8INnuRgE32VVs6t5sDyd0tQb9JP40mNsUh_fhwf7kNxL3Lc6PdrbRUo8b1ihTWQWoBhAAmYN-9sEQIevNP1dka8BUaHc5dIkRpCv9p7K1-wdTjgmfjgFedxYCokgRdLK1C_TxRkQhDupHYn6uswOyvxbw40Ell_ctIdltMd-nElyeuVtTDksQgDGA\" alt=\"Costura packer using DeflateStream to unpack embedded assemblies\"\/><\/figure>\n\n\n\n<p>After repeating this operation with<a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=Raw_Inflate(0,0,'Adaptive',false,false)\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\"> CyberChef,<\/a> we got an unpacked assembly.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/Sh6O04AKAlj7GbKiopiUTfRs_j6JpN8tRfIvEXdczuN7AVA9nyLqQGUYzRkU1zB4PFgbyS7l6QttLdTPloeoLSgtHJTfOsKrVkjERHGjMWeGmwcS6gBQCAylvJbcoNVKsg9q0usHKxaMsSFzqqook13JNhxdlO8L76atsp5cZHqIwb1Lt3mSKiiHMw\" alt=\"Raw Inflate in CyberChef saves the day\n\"\/><\/figure>\n\n\n\n<p>To avoid any second thoughts, we upload the unpacked assembly to DnSpy. Hopefully, it can confirm or deny our assumption about the encryption algorithm used by the Orcus RAT.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/RZx5LQ41A0WJH95YIWFvYIvEkqdYhJqJi7qBmsf8JASuTt99xPmThe-oUKYfxTSjoRhvJx93xqCvFAPP2NMYpEI30NlPLijBpQDWR7cKyS_tmIWL5lVjHM-M3ltmK2fU40_Dfrz7_KYM9-9FKLZYoBXl2goGel4bU9geI_lrmOw_RRafSoLl3NTjyw\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This class contains methods for encrypting and decrypting data, as well as an initialization vector field for the AES algorithm and a field with the key length. We are not really interested in the <strong>encryption<\/strong> process, but the data <strong>decryption<\/strong> is exactly what we need:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/7SNvE88Lb4B3QQJCxgVtl2r-9yogbM_rEolwiP0y1HvxYCagZ8AaBf3gd-m1AfolVyZiuj0XYpaTRkI2FCBJ_TBy54F71Nr2UYVI85Wbfx0LHPoPjBQXV1nY3-gynK7DC0kbOmJoeO41lP-CDulvIFJt2W3ycY4-zBWDRM9N5HLXtQOL2QgY0PgK2w\" alt=\"AES decryption implementation\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Orcus RAT data decryption<\/h3>\n\n\n\n<p>We have found out the following information concerning data decryption:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Base64<\/strong> is applied to the encrypted data besides the AES algorithm.<\/li>\n\n\n\n<li>The exact encryption type is AES256-CBC.<\/li>\n\n\n\n<li>We identified how the encryption key is derived.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Let\u2019s discuss this stage, this one is definitely interesting. To generate the key for a given string, Orcus uses the <strong>PasswordDeriveBytes<\/strong> class, which is based on the <strong>PBKDF1<\/strong> algorithm from Microsoft. The malware uses the default settings: it means that the number of iterations for key generation will be 100, and the hashing algorithm will be <strong>SHA1<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/x5eGKoBDkGOl5UGRgk1oxSx0j55B0VCp1s5vRNKWFl4uflsFnJFRi2Oqs6nq3UVJbJTaM89htTNJf6wRXmOZIA86pAWw5CUASi9Qrc520vUKtwML1CH9MXjMtcaX2Iwy_WvxLklQS9ISNGdHU980a5X9qUIVY10qskPpou9IRpDz4pDXho_esqy-YQ\" alt=\"Orcus RAT is using PasswordDeriveBytes class with the default constructor\" width=\"972\" height=\"55\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Are you wondering how it\u2019s done? Here is a scenario:&nbsp;<\/p>\n\n\n\n<p>The first 20 bytes proceed as usual, then a byte counter is added to each hashed byte of the inherited string from the 20th to the last byte. Taking it into account, we implemented this in Python:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/tSBsRub8NwC1522hMQ4czmYtlntuRgK_UBISqXhEpsaLFZSTe7QUi6Ko02bkPPLcm3hkNZ_GHTysIPiAaHKbvajJceG8Y5XvO9CFlfAWl0YF4AasFhqkn-LkEayxowdZVxqpb3DWxE_BHQqotwviF-TwvTdfqXtlJ-Yz9w2IXjE-hIU_wvkLWwEKzg\" alt=\"Microsoft\u2019s extended PBKDF1 algorithm implemented in Python\n\"\/><\/figure>\n\n\n\n<p>Knowing the correct key, you can decrypt the data using<a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Base64('A-Za-z0-9%2B\/%3D',true,false)AES_Decrypt(%7B'option':'Hex','string':'415434738C1FFA7635528C8D77E07A8544F7808912652F07E2C2C88A8BB4B596'%7D,%7B'option':'UTF8','string':'0sjufcjbsoyzube6'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&amp;input=MzBFNTVsNncrZXRlOS9UaDA5M2dJV3cyQTdWcExXWDFuOTBGdzVjeHhjbUI2V0xhWm5TZGxtL0x2VHFrMmpxZmNtVDM3bCtDYUkwNzFtQTV3U0lmSGZqeTZBcXdWTDdjRUU1WTlwTXlWWklrKzY4Z1YyNWpDNmpndkhYOWUxN1pvd0YxQjROanAwTmlnYkU5dkVnKzZUdVlkVWR5VzNQZWYyR1ZmWE8rOHNsS0N0SzlhZGQwckhVd2J3SHBDSzlkSE85N015dFZGODdXRC9JdWpjemoxTmM0d3BXc01KbzNrMHNRL0Y4ckpIdDZtSzFhRUU3bVRFU0ZLRWNoSXB4K01tWlRQSmRldFdWaWdLRHpTcmZDQ2xvOGJrSlc3dTA4YjhZekJDdm5CTmlBdHJOYy81c2wzZnRTZGwwNWpvTkdUSTlGWWhBWnQxU2dxSUFRMTRuRFgzMGEyZmJjN0FNeStScTY1bFhqaDJHdEZqUmZSQndNZ0VUVFZwbDlHUitIRXhvb0tYWldxMWdkZ3FZcnU2ajZVWnlXZkR6anRHT3F1ckpndTh6K2VGRnZoanFiM1JSRXpvaFhzS2lHbmFjL0grSElqYTdpZjFTd2tUaHFDVzA2MUlacC9lNnk0RkYrL3F3SnEwWkdFbW5YSVVid29iUEFqVHJPZTlUMVlCbXBVSGxwODQrZEVwNk9lWXNTSzk0RGxDcWYwYjNHb1BWUzFNMDBoT3BERmNSaDE2WERTT2tCZ005eFZKd1FlUjdIZS9yVThvRXkzbEViSUJwaEJ5dUNycXZJc1R0WHFBdHpLanB1WU82SXBiOXJIWmFBSTExWHY1QzhJZnk1SllSN0lzaGRoWXdrdVJxK2F3RnBnWVUvUDZiRG9rU0pxbVdIL2Y0K2JiUWZDWlN4Kyt6MmZLZm9YbjVOYytlY00vYjhHQWRNQUx4SEtlWEIrRXAwNm1renRoWk9FNm1Xa1R2WUhpYkd4VWlMYndPMFZmZFhUNzNlbTlDYzh5SzNMak1ydk8vWDNjN1I3b3hNL1NZc0Z4S3MvR3A3NGFJazVmUng4RDNkdytmVE9NUGVoTTBTN0w4ZTVDSDg1VEZlNll6VEpFdzhadmFwamdYNDM4RGxTV3BuWUpEc1FaWXF3c0k2UHJQZnRtbnI4VXpzRzJlRWlsVVYxaEtZMlV6T2FDYXNSb3lUd1NMRHpXSHYzbmZnZ3JoYUNYNzRDQ0owS2UyaTllTklaM0Z6WXF5c3QwOWI4K0x5dmVDNzZwQVI3WDN2RXcrRFNYaEdPZ1hMdlJ4QlNKbm1TVi80ZXJ5Q3JoUjZTZGhIZWFDTzdTSDhCZENNVlQyNlRPZndZN0JmeVRqTzZHcWYvdlpsRU82Nkd0SzlDSTFaeWlaL0c1U3lnaWJ0TUgwTU1MKzNoRHlWQlI1R3JnbU9pd0ZKUVJKRnlIMnBZcERvM25kcEU2UFF6WHF1d1F5UkJzQzNUaTRPZ28xblBSWWtEY3Y1dGpISTdZZjVka1ZwOEVtRGcyNHZJUjdKSlZ6SmRrbWxqaFdrVXRzblQzUnExRUc1MW1jR05YQVpJVWNJTEFIeUdmNFcreW1DZmlNY0J2UThCakd3T0xEODVxM1VoM3hOaXM0WFJJYWZCL294M3BnaFowd3BmUVZDa0U2VWIwR25yejFpSmZvNEd6K1lqdWZCNGpZSXlJR2YyeDlqUWhQOWdXRm9rU3I0MFpiZVBpbCttbEdneGFuSElSZ2dJQnVYcXViQldxeHZoUlk2SkhISmsxM2xZYVlxSTdqYWQ0aFpLMU1KWXpoTkpjZDhXVXRBNzhQMStFRWFhNTNLMGxrNjMrNjBvQjVnanpVcXp6bUxKT3ExODgvZ0lqYzIrcGRpbjVBbllPYm52Q2FZNU5aQ2hkQ3NqT0FRRzlZaDFwYjhCNW0wSGI4U3MrK0hOSnVta213b1IyVG9acTlRaDY2T2FYU1dVZ3BMTVRXTXN0OEh3WDdBb2g5UVdMMFRHWi9yZUluQUZmWElwZDh6VnFFb2hCcWJldWtXSEVoeHNaeHZjdjNWZHdnb0hTZ2UrOEpSQ2IvRDFRN3Z2WjJ3dG13Tzl6c2VNOGpKRGZzRWJ3ck9ldFpMekQzNWFGQ0xqVHFWSU5IV3FTbWR6MFJaeUt6dHE0dXhvbUlTQ0puVTRLc2t1UkxsNnIwaHVCMGd5QVdXYUsvMmNYaittZGlrRnNhOE5jVmJvczJJTU51SnpieHNNY0NrbExNMWZzcHJVdENNSFpYaHd6azZQRUh1YVVqUWxlZ3ZFTXRzckp2anVQK2w0TWZRSTduR1VyYmVvbDlxbDU3VWdOekVqSnI1OFpZQVVQcElRQkpjVFFYN1Y5U1lLZ0lNWlhZQVlpMUxRV2NBdzFXaUJTRUxrRHZHUUw2Mk5jZk90ZUhwbTlFVzJkY0hYZzNVcWNOSGpTajllaFpzZzQyWGdOZ25URkNtRDFVREhUcERpWVl3b1Y4dnduaEJjWHVyOWh4WGtJZ2NpVVVybTJpQjIxUDEyOWRUMFM5S1RHaWErVDNZcFR5SkljTW52MHhKOC9xQVNDRWxjdEVETnc4MTlwbnY1cnMrYm1HUnNaUTZMbWxaZHc0MkxVWVlPdUpnTWN5dmJid3p1L2JzUDhPVXFMZlhXODhvaitrS3ZNRDJEQTJROXl2S3doK3g5WENLVkgyRko0SGxFbEN5cWpvRkRNdEJXSmExK1J4UG1YM0ozRlJJTnFYNDFPc2hna1RVVHVDS2VvZEFtVzU0dWVWSmlTNExZekpJTmpXQ3p1anBVSlZtTmE2NXpmbHNLcjNUSWdDYjZ0Vkh2UTNDN3MrTmtLbURMb0ExMUxXVG5mUzVKcnNhK2xCc0hJalAybVFjOWd5Uy96S3pDY2E1VkdUWng4RDBUNkduTDlOQ0NWYTFtVmcxT1FFdUtJcmVLYXlOcERTd21jNXJNc0Q3WmxlQzJ5U3h3N1BWK0xDV2hrVkxqRm1vdHJHeGt2K3Nrd2Z6K0M3c2l2VUFSbXoxbmpBVnBZV1F4OG5yOUtWcXlCNC9QVnFrSjVnbXd0WkdNRUR3OTd6T3BqQUY2ZG1hS2pOVmdZWTZLa0dISmNyQllDK3NOQ01JUStZQ0lURi9GVFhzUDh2OE5WbUNuS2VRMFpUUm80akRCMnNXVjlIQktwTGlFV2lZMUFTdjZVOHJ5dE9UaEpTNDUzSjFTOXIwWFI1ejZpVkJHSlg1NkdTcVNBME8yL29IdkZNYi90SHo3bnNuclB0Mmx2bFFtVEl5STIrWjU0Y3lBUlI0MnhaUXhiQzRCMjFOdDgxT3JBbmpteG00NW9ZN2JvS1QxVTk2Q0xaLytrYXlsd3N0YXZiQmpKZzd4VmVuRjZoUEFsQ3FKblNvMEpibnh1ZXdaZWZ6a0Q1Y0QzbGVlOVY4c2c1R2REbUZMWXNkSDJMTUQ2blNyVVVXU2N6N3d6MEZnQk8zTkRpZFFQUXpEMjBYZmp6bUpSZ1BJRFRweXNJYVpubjNJZGlUdXVaeEY3K2ZHb04vcjRZN3BQUGlwVzlKOUxjUlBZd3hoUzBTMXVmdEpwSm9lRWVyRzJISnBTVy9SSktqQjRRQzMzOFk2Zy9VeC90eUxSMkdoVWo2K1lkWFk4bmhTakpvRFBnRzBSb0ZSOU05YmluVWhUdlVPUlg2OWVwSVZXeEZDa2U0OHRUZ1hVdVJLS0FyYVVNN2tqQ3VsWWRQNGNqaEY5Z0dkd3ljY2RKaVRCeXcvaGJqZmlIZDBhR3lwWUxnQTFuS3RjNXlsUnZlMy9BeHMwcUh6blA3d2ZyN1ZNeFV1QTluNFVHUXBPc29KaHF6dzdFVUdPVWlUam8yS0pWUklOd3ZHeTY5NTRYN2ZTVFBmS3A5MGFZczZUYmJKQjQrUDFycWYxNWNRMVRXaEVwQnFnWTU3NEV3eVgwazVCdFk4blZkNzVBRTNNMWdRTzVlNkNtaHBpczlURWFwcXBzVSsvWGMxOThQOE9GWk1EYW5HRStSWGJhUDl3MHBQN0Z4WmpHbUxtL3VUclVBVkFicFBjdFBkVWVOYytKNm9pOWhQdnphc1dtejJDekRYQzZDWks5QXdhZFEySWdrT1pmT0pwWmVIRkxsc1oxeDZRdXBSeHRMZ0JLbEUxUmRlbUdxOVNIelBBUmZlSzhWSFdwYVVDWnZmSktOU3dQc2JaazFCVlVuR29yQk5XenhBcUljSlFkUjF2TElkMUhHSDc2dk1paHlPYjlqYjUyTCtOdnRkbFdiZU5KSmdTVkd5a3ovUVMxbHI1cEh4Mi83NHJHNjRVRnlpUUZHYzhKMnhSUFJjL3FhaDhJZmptWGdjUVpPaHdLMERNZmcrRjRBM29LSVVQYjQ3T2VIWmRURW1Ud2ZPMXBscDRYMEFkK09SeW1uRTkwUUROcjE2cG4xQTdnWVRyVWY4cXNOLzhHYkxjeTYvSXFqZVQ5UUZyTWN4M3A0MWxFbnd2bHA5VURDOEMxOGt3WkErWnJTdk5USUdZdVh0MVZ4UE1ZT3lKUnVUYlpyU3F3eVdCUXZTRGNpUTZocXZzcTE0b0FOWlpoUTBTTWR0d2xFeVUxOGkxQmN3Q1VuZWxpa3BiNkJXQ1hNVHNVeSszVUpmeTArTkFQS1dPeEliT2tFUEpETitqcFhIbGl1YVBQTGVZUjFrWUx6bVlMK1UzTGhYZmdHdURvNFJ2bHR4ZUJscVY5UmZSai9IR1p0ekFMQXp0UW5EM2dLYlI5em54SDN6YjBoQmt4RmI0NnNOODROcExINUtzSDZiR0tmK2hXNDc4ZnhKTGNjUFVFcFFMU213UUUvNkdLQ3FEUEtBbkNMdnZ3OUU4VEc2c2lVMjByUVlZM0NOWktGNldTMFViekFFdVhTM214M1ZZY083SFZOem0xdUdma3IrQXFpNWpXY0lKSjBubzBraVV3Uy9ncXF2dEhTYlF5UTV6aitWQ3VtQVVpMG1DUXo1VW03QStMUmQ2SWJyREJlSXh4M1pjMk1jUE8wc0M3Q1ZhZ1QzbE9LSzd4VGdpVFp2blZyUmFFQW5GcHdPeEZ6U2E5U2xGWlFxQWVvWnhCdExCZ05vVW43RXZFeDNUWk51TEpUOE5RdlliMlFMYk1XU0MxTTN6OGtmS1hHSGY4a1RyM29yL0ZBdXRodXcvb3JzVnYxRmF0d2RJczkrUm9uOER1am9La3F2T09udzBHdDZXUUI1bW81SGc1MXllVHZsSXRFWFhnanVzRFJSYTRqSHJLZWJNcDc2K1lxOFlIcGVHalFwQnkxdkVKMm4wSDdUOG5aUkhXNFBjb2dKQnFoK0Zldkc0THdhWE1tVlB4Yk1VMlJqU2w0QU9wQ3lMMjJuaTNNNVQ5WmlrWm0xNWV1WFNuUnZtZHRvWnBBd09Ka3UyNlhNOXJjMHFSejZlV2xzdTBRT2Q3eVVXMlNCYWU5OUxEaCt6UHhuZXdtcC9wa3J3Wk5PZTAwZ25qVXczY0d6eFhKcWhqNXA5QWVnQVdkRlJXUitGbHRTOWFHSDQ2WEVWbWxOQkFtdUJFLysxai9MSkdLbGd0c0JzSUxSZkpaeXREbUo1UGdjWk50ZXkzN1pTR01OYkEwL1pRbVIrdjNTTUtxTHRrUE5KK0ZMUHBsdzRwY3M0RTZkb0NnT3BlUDZxTlM4K1g4cUl6S3JibXB5TmhGdWVBcHprQmtjQmxURmhYS0I5ZmlLeXZtbnZjSTRlK1VWYnY3aU15LzBEZy9CZXVkNVhlT0xTZEVUZWZLb2hhSm5NQ1VCbkxiUHpjaDkwMGQvaTI2TDVOaHlXdVBvc3hBcmc5NVRjZS9idkJYZGtZSjVVU3h0dUUvZXlMWmtXNUVVNUVkSzkwK2J5Z2dCdUMrZC8xUi9reUpYc3JHY081bE5WL2lsNGYweTlsTThiQUJaampHZmhSRnd3UXB3V3dIR3RJQ0pLeFZxcEU1cXBpUzNIckRNaTNpME5sLzEzajFvOWdSYlgvWk1NRGU3RFF3SG5Kamc5Zm1sYndqZHFLc29kZzZHMFhHbTdTUnFPM3kvUllQN3Jab2lleUxycGtiVHlVaVdiNWtVQjJWSi8xVWh4K1NHSGpVRWQzd1pqZnRpZ0hSUnFBT3hnN2hBZG1lbXVFUEhhanY0eXdxUW1LYmxxUFBKMUxEOTZJbGZ0aUtGaEFmL3lHRU9hczhuZzd3bVpqOVRKMEUrM0hURWU2NUhkMnZaQTBGdGFadEZIcnpXc3MyN1RVRGNMZzJyNEJmUmtFU1ZoTDJITk9qMHF5QlY1WmMwNzVMTUFrWXpTRWdwMzI2Zk8vbVpKM0ROMlg5dHR5aFdBQkdKR0RIM1p3ZHV6bWlvaFhwR2NuY2pFemhqeWFPYnFDWFJWZlRuQms4SjBCQ2lmMDZyOFZMdG41Z3FZNU1vUUlRMW5zbUxEYm5EVEJmdGFvbThEV0NWS1JjVnNFKytxMGR4bXhhY1BvbFoxQjFxVjZrNlpId05vSjZyU3NOTmRwbW5Cdm1hRnAyMXhZYy9qNkJNSkhkZjdCS0ZtZFZ3MkZsTzJrWUxGN1NzME9mU0haYXFxbHNZV1ZPNWpXUTJROG84d0p2a3F4ZC83aXdVZTIwS29aNFJ1TW1ITUpKZFpwMHlSbEVZRVN2ekRjVURIZ1dadEJwWVVMVHRGWmxJaFpSQmRTeGI4RmNnVHM3Y29LMWpWdzQ4QkQxSWxaV1MyTmZaL2FYL1VaVmYyTU1VajNtNVVLNHNBWDVLdFNRUjBpOWgxeTFpODJrMzBXZ0RoSStLeHV2R1UxaTBrSy9XbFdvT0tXVmFGakxZT044T0MzMXBQZnpCSm5yaWR6SDd6N3VFMlpJdXAxSUFyNE0waDNCMnVZV3ZFMTNpbG1LK3ViNStJYVVMZ1h2WGNKSFAwZHpiM2xOOG9LN29LV3c1M1FEOVN2cjhoVzJmTDNoLzJGeE5lRk00REl6WXE4MERCQVdack5WTG0xMUkzSlJUeW5uYlhsc2RNZlRMbnpvcGUxTUxsSktFR2V1aDA3YTk2TmJzNHJGNCtSeUlDN0VWR3ozTVZaTzkwQmhEOVBwMnNoT1VLRFAvV3VkMkpwczBvdmd3T2xqRGJsYnlYTHJXdnBTOHFrUFJ5c1dQc2RxbnluYy9aUFg2UExKSTIwUWZ2cC8wNnJzOHY0MnNkbWNMMnJpSVN0S1ZwUHFlemQvZGxkTkt1a2ZRZlJSQUZpREZqUWdBOW92dXgrL3d2OGY4bGhYYVp2TE1lZzFYQWpPRkZlVVlxOUhLbW9HZXRVNzNxZFdPdmRNRkpvSjZYVm1sTEtESmM1V0ZZaEU4Q29POHJhRmd5b041SlF5MTNxUXBteXd5VWRFUnpuTjR3RHFNaEVkTzBxOEx3M3lSazVnTHpqdWdRZUhsSkZ4Vy9XbXBqWHAzSDBPZGNGakdDczRISG9KTGFJNHROeElvYktsVlRrZXBYU3NSSHErQk1vOHRsZG45bmxPRkR6cllLbGk1VkI4Ympvc1JOT1JNM25xOE5hTlh1V2VOU2xMZ2ZULzVyWmt0TjZhTjYrenA4c1NaZ0xwZEJYQUNlTlIraEVnL3V2aDl3YVlZYzZtbnoxMnRnVkUvenpSVy9RQXBvQU5pRHRtZkZDVVFBY2E2MHl0Q3ZVRWJQY3JBcm1jbnR4K3RMQUJFWEwzK0VqVDRSR1lZQjNnVEhlOGMwMDZBMnBqTDRqc1l2REl2bFJ6ZTJZdjJ1SzZkdldFV0RocDh6WHlYV0VROGtqVWZ5aTRscW4vYXhWTmJxSm9GRGNqZGI5Sk1LaDFpbE1tcFVwR05nSXdFN0dJVXF5MWVBbVZEWjdJNUNrTzBLbkpRSXBGL2xXb3JlQU9ERXViVm5teG95VTFMY0ZOdElXNzIzNzdrWWdsZlNQYjBjcU5JdlBDTTd6TnlETkpsRjZBdGZKdWgzUytSZU9WZ3B6UEhrbFkrU2xiRFMveFFMWmdFZmFKNFkwa0NKc0lMN0hUK1JiZ01VRHJWS1VhcVFQU0RLejhmd0RaaDlxR1h5RmpHUmNFUnJrWjBaUno4RHVSN2FHeXRmN2l0MGxmYzQwdTc2VlRIams5c1ZvdElYVVpDVVR5MHA5VTg2a3M5MHQwbW9JbGpIdkF3RHpZMFk1YUdlTi94YzBqZHBJZG9VRkFIUFhPYzMrSXM3K1dpRG9RK0hOTWN6YzVuWENaZnAzN1IwcVdrNVRFZVNXK29vdGFkZy8vQjRUdWhmQkRtWkdXcGJRQXJpS0Jjd2Fhdlo2UU00QzhzUXNwZ1pTWEV5UlZ5d0ZoNVlNMzZQV0R4R0RMUEZNSkphYkN5S21WYi9WbVRCRWUva3F1L0RGelBlajREMnR6WTBTSVU1Tkw1VmZ0UVMwQVNpWll6MG02cUg2MVh1WERaRmlzYnlRQm5SNi80NGo4c1NZa0FPenVBdHpicWdYUEpBVVczZFk2R1NtWmkrM3h0R2ZYVTg4YlBsK1ZITWJkSEJ1UGxZSDRSbEZ4a09uUjVrN1hCR28wckxRd2Y2bm1NcU5TWnNWUFYyQk9PY1hmV2dmRGJCeWxmY2Q5MjVRNVZ1REJUOXBGL0ZXdlNzSzRzMEhDZjVKbWdZS3BTeXhlLy9uMXY3YUpOY3MzNEY3K3NpVHlPYXBEbTZXZFM5YnVkdk1lUWljajYwaEZhb1V2ajFRdW1XVFQranBjTE9Udmp6NldMZUtLU3JhNWJoSE02d1hYUnlCNnBiQzhTK2ltTG9QSUUvRCtNaTdHOVpJQ01pT0VUNUoybllMUlBqSkpUSkswOEdzY1Y3b2c0U21mRGJ3ei93VTVYMVRuUm00QUhiQjc2MXAyNk9XdUk2VlljVnJBbzFnbmYzM2U0M0d4VFVLVGZ4YVZIZkdFVHZmRmRpdmdiZGJZcndTNHc4YTRkekVqcmZYQzE1RUxmUEdOTnVmekdyZ3VWRjFxSzZMNnVvMFY0eDFqejRuOVlFcEZ6c0NJNzY3VUptVDNhSmwvSUpKcFZlTmpxSHk0aGw3UjVYVjRPcWFnZ01UakNHb2lpZGFYZ2hlV0NQV3AwL0MrejlzU3hBRjZKTTFkR2I3R2MySDc2azdQU3ovdTArSENPb2ZEbG0yb3NFdmRoVWtCSE1icGFlZUVieFVhcG9Nb0g0c0c4Z2xSaGhNVlZZSkJqVE0zd2VLY1hRaVAyKzFEcDBMaFRVZFlMQlc0QmllR1NRNllKTWlFKzNSYytTZzluVTRhb2lzdnZENHFIVlUrVzZ1NHg4b1JlVVlod0lBLzhnWTQvL1lUbGYydkJqRzdqWmRqNEVnbUFldmdaMFppcnkyN1k5NTladDJQQW9MM3FaUjRnVlkvWVdUeVlsRUdCTTRsUGx0Y2ZJZmZob1NYMUxsdXczZWx2dEs3M3ZYVXNqcE8yZW1rQjBGbzNJRnIvQ1pPTHNXZjd2U2lRaXlqdHdtdFMvWEpmRGtjdHBKQlpQTVpVR016YzVOc2VpM1ZUWEIxWTlJc3U0NVFrbUNHYzNJTldsMVlvUktrSURkaWVEcjJoZ1N3VGYzMDJSQmlsbHR1VEl0YlFVWW1QdzhydGZScTErUCthRVpGbURERmVXQlp3dlJ2QWJMcWtmVTVmekJKYkxTNUR0V1I3aTdXMTBGYnFFeWpCTk8zS3NSckVSSzFzVWxKUFFIQmlDQTdxY1FEKzBDZzI0SWlZcW9EL0R2cytDNm54aVJldXdCUTJoVE1OV1NVRVo5NzBrUWtGVmFybkVKUWFSVFhCME15NUVrczBMR3NKczVOSjBGbENreDNBUmRWZUhyOHdFNWVyTHFpM3BkTDBOQVM5c1AzcFp1M1g3eEc0TVh0NGJvUFFTaWVaMFB6dkx3QUYxbTd0OVpHN2s0UU9qWC96ZnRIZ0hoNCszMmVkeFI4UDNGWVZlZUFpQW9wczhtTEJaMlpjeko5UVZVeWp0blVxNEk5dkxMTXFnMjMzaUt3aDEzOVcwNHgvellVK2tZZ2ZWVGtLU2JYekRZSksxUlZ4cy9CcjczZVloVTFMRUd4Sk5BRXc1Znh4d2Qwc2FsVTNJYStFdGlMdVhlb2V3NHhUK1lRblN0RlNCcVEzR3BPb0N2aTNHajhjVkpqMUFCajU2bk1odi9VZFhLdndJZE40aEdiaE1QcTN4aVlGMmFEbmRWeWM4M3FLN0E2WDFETkhJK3lwOW8wQ3NCMUo3U3U1OHAxbE9yK3FqOThjRTJnYkxYRW9vWDFYaUxYandQYjRDaEo3a2hMVVd5V3k0M29ZUit5aHFSd01sTDZtR09lRnl2bGdoSmVZQ1VqeStDN2dGdk16eXp4N1J0WWY0ekNHaTB1OEhqY0ZDalNoU2hsUDZ3L1VBbHBEWXRtTVlJQ0t4bjJUclREbjg1YW9iUFZVNkF4MGJrdTcwSCtDYXZpb1RYcjlJRmFWTGZwaWlJTnFGMFNYSGJ2MTBnc1BpK1N2S04zRCtIeDFISlBUejJZRkdHT2JWMkpBUFpQQ21TaDFIUFNzak95Qk56VG1tbTdiSGsvN3QrcVRSK1BiTUV0LzdoNWprSnVSeGdRT1Zvd2VxbTVnQ0N0djZzZ0pGMDRvbEl0VXpXamY2cHhtWW9TbW1XMDRydnhBaUhqQ01uc1FLNUJDMXV5aUcyWkdpWmFYRXpqcW8wRzVqWlVBSHg3MmpWbmJsOUM4Yzk4RDIwcCt4ckdJVk5OR1RuUzFvUHErM0NEYlZmbGZRbEJTNFYvRzYyOHQzRFBkS3kyRW5TVDF3UCtCVkNMRTRCOFRiV2tOSys1eWtJL2JoRjJYN3kyL1Ztc3ZvREFDRHVhTFNHeG9sYWtpd2hybGNjY0dGUnhpb1NPV3FsRTdaQm5PdFJ3bkpjTkcrU0xpTkMwb3Q2TkNMclF5bUc1OE1BemRnK2kwSmYxdVp0a3lTOENJc2NUeGZ6NWg1ZC9FY3lSZHl6UjcrM2pJN0N2S3ZjZDNDZnVYNFJyeG05SDgraUEwSDJmT1JSMFg4VWphMmJuSy80WGE2bUF2K1RTY3JYRGJaaHNyTmFCaGE2OGNFN29MNDB6blF1N1E3ZnhjZC8zdFUrZGRsVGcvQzJFUFpnRzU1NjFyc0RjZGZEc2tCekhZbS9oVnV3ZTVXZFFMR3laSDdoclFBK3A4MFY3T1NRQmYwclBwNHJOYmdWUDZFUHBxR29OWWhTOXBsZ1h3ZEZuRHYxWk1OUWh6amFacFVIbTJqVW1jZWZWb2lDaWVYTTZCc2FLejdhKzA1Z3pwaVp1KzlSc3NTdjB6RkxOellYZ3NHMlQ1SFJqSzZMeXg0dUVpbUZ6amQ0RmRBdlI3TUVNRVdIK053Y0puY202aHhseWtmcDhiSjIrT2hmNTJwQ2h3Z2k1akc4WERTQi95dHRTT3hqbDdqajNkNSs4bWtsQU85NWU2OEtSTlRTWEdOREJIVkdWNURUekFKN3hMWUlxWkhLU3h1RC9MS2N3KzBwV2Npc3FUc1VhenYvaVdTWGUyR1J3eFY2RnZBQkJmSUp2bXdOb0c1UERTRUpORlNoaGhiL0lpWjdYM2crRVZKZ3ZJOFpuS2R1YTF2aXhOZEN6RWVORWlGZWM5ejF6eDlOUVRId3JQMFBjYjFubklGMWl2YWNqakkrWkdteEZlZndmTUtZMUNQakxaZVRWVkVzckpHeFVvdHBZaUxXZ3Q3Rm9pSzhYYjR4VlArRG8yS3hUcGFaaEc0Vit5NmNsOHNNR0VUN3h6QWpYQTdHOE9FRUREOENVYStyYldLVVhnekFTWlJRWXBLVjdqNjZRQndiN2IvWFc0TFpyOVR1ZVRqK210V040UkhoLzNSNFpYU1dYYURPejYzbTcydldlQnFVejVyek85QjJlUDVFZGtORDRGWkN6L0JXZVdhTTBURE9xdzhMdHd3VnlmeFYwZHZWdTR1ZDgveTJjWHVUWUhMQmZSWGVJOEEzdE40b09aQkdmV0M5Y0UzN1VHZndIL1RXRElWMFE4T2VUWVh2dldvaU9uaHVkYWhTd0xBaGVyaVZLV2ltQnlGQzFwRTRqRXg1WHdYOWpCZ0hoSHJJUlhXK2FLZzRXaW8xWDh6OFZ0c0IzRTl4N1N1TlFJOExDVlJsNHVyaUlRbzBxaEl1ekpwaFJncU8vMFFLa0w4Y2E4a3pkeXlIZ1FJTlVIK2xDdjR0d2kwM295dmF5Qzk2MU9YRUdEZkhvSE9DTlRPUnRUQ0dFV2l1b2dXRThVbE05Q29zVUQ5NHhCbWJFSTRRN1BlTDZKTW01bnlDU0VYWEVWTm9lemJobnNieDlCamhhZ1U5SGhGMXU5SXcxR1lNc0g0M0MrUHM5KzA1MUJCai9qNE8zZzJyenpCTmwzRy9kSWcxdW9VVkVIZFFDeERnNnVjRWo4WitGZFd3SktuVTB0MWNFZHNwdVBZYmpHWTJVODE5amZ3Sk1JZWJxRk1jRkM1aDUzR1dFWTgwazRqQ3BkMlFwRnN1aHBWdlFwU0poT3FhRjNrOGdCWnNnV3FMRW9JU2gyY0N2TnlRRTZXZjlsbVd0OS9oL2g5djN5N3RnOGtzT0MzRWxOZ1hra0I2WTIrTHd1eEhNWTI2QlhhVEFzWFNNZ2lwMUpkeGZTaTlwRG1TdDhiNGVjTWNKV2xETms4UlArNW5sSU9DYzNkbVQ1c3dtTXhUZWE5V1lLaWZGQjNiU2tSRlU2ZGppalM0bFMrWWtHdVpGRzV3bE9QVG9GMmdjZXB5M3JmYnNheWFnVW1Nd0dJR3B3MkV6S0VpbWxib0poL3FXbFM1dmlRN1R0K0h1aW95dlNUVHhzRWtmN0ZwK3IxNkdGOFJZRVEvV1I0NTRkUEwyRHpHSFVYemUrV29yMmo3Y21tMktVKzV6VUU5djI5anNNbmlNQytsOSsweUkyay9VYkNLZ0w0eGRUUThLRndGZkc2N2ZEcG10NmpYUWR3cCtzamxvaGNOeUI2NHEybTBSL3prVzdmcTJFUXJ3S3pyNEpHY3I1ajdGOUdrUDI1K1BubnlCNTBmZW9mWkdsbHR4bWVpbGxZeHNwaVlpRXowNmF3dk90eTA3b1JOTjJTUFlSaXBGbi9LbkpGK3g5cFlyR0NzTUpoSmh6TG1SVjN6dmpkdGlGMEVmeXM1K0RtQzBoOGh1Ri82QmxjZDh5UFhOZWs4Qzg4QjlQU1BKdi96d0JXdlJPZFhscmFGYlJaQTN6bXlReENndWJYRjJsL3J2ZEFlU1dwbnlCRHc4TWc0YlhFclhTUkp5TG5TcFJ2T1g5d3dJOUYrMEZNaUw4WGhxVk55MDdDbTdFekF6Y0o3NW1oYzUxR3duL0ZDbFYwMVF0WldlM2pvVVVrUklqY0JxSnQ2U3g2Rlg2ZzMySHNsYzRaeENrVVFKUXFxSGRGcFZJOWZKTjI1ODZRRys1cDc2bmRvZGNTVnhLcTRQNkIwM3M0VTF1bzVxayt3aURocHJTRUJlNGFNQWd1RWZyNFJKT05yZGsyNzRyWTV4S0o2TE1DS2F6UFg5M2tUdGoxK3hHSWxZSjVnMjZybzJmcVE1anpKL1IreHdmUlBZRFMvOTM4cnJrZ2lPQzNrQk5XTTMvZURpVmh5dDFScS9SOTVIeExmUENWalcwQWtpV2FPb3NQcEo3aE80S1VhdE9nbDhKYjdvaTBjMWViZW9nT0tmK04veVpOb2YzR2oxSTZwRTRqbWg0V0U2Ny9ka0szMVV3bEN0cW84NjkzMWFNRkZzVWZQYkJRd3ZVTURjQjFQOTVaMlR3TkdFSEczTmttOVJ2Y3lWNVo0eHJBVXBDV3AxSDRZUko1K3JrMDIyZU1oNnVIdkRmb3dMb2thbzhNMk5IVUo3UFR0K2tTUFpUaTJHdHpuYStYaEhxZlM5a3dDTWliTGo0dC8vd0RTVWd6WkVUaUZoM09ZZTUraDlmZ2I0Z3ZvdE9JcG0xNDZWREYrNVUrRGZOSHpBdE1FZFQxczVhUDJsUlMwSnV1Tks0T2NGSEEwY3NFMk8wYzFQSmFQSkdhNzF0Zm9NVVJFV21ZZkdSU3RyaXNyNmJZRUEvcHp6YlhGQ3dtNmRIaDZMcXdFNndTZGpnZHROUWdLSnhuYjNMaVlOUTdDL2hnSzlCUnJqMlZhcHo3K0MyTmJTTzYvNzFpMkpvcFZkMW0xaVVibkc4TXM5TEliRUpWRThxT0E5cFJyZFlaaUJWNW1xbUJjenlnTVV4RUxGemhSWXhCTkM4eWN6bUNsUVA0V1RvV3VPaTJpeDd2VVREdDJpVHg1by95ZXVob3BPMXh6MUZTUkFhSmJSUENsaWRNOTZKMmxNL2w0UnR4aTZHZGUrZnZNY2JvRnJTbXRDdmF0UVZpSzJJWjB5NlJzUUJaaTNIMGZyS3MzNlk1cHpnVzBldU1pRzE5b3FIdzAyUzRMVDBEd09wNm1hVVpzMG9IT1Axa2I4SnA5QXJ0YyttRm1mV2d6K0VLTytYd3JXNlFFRDRtdmE1QjBhV0NQQjVIczhOQWsydjBwVFgyMmRuTmI4MEM2Zk02U1BvaHBlU0JVMUp6bG1kai8yM3hUNVFCcXpQeU1ubVRkYjZ3eWwxd29ZNnIvMnFQYzJMNkVCbnBNYzN5Y2s1Q01PTzRkR2FsUDRCa2s1ZzQxSndLdWV2MjJpbE0vYjM1dGRaSjhweWR1akFiMmJ2ell2ZitLYWd5bFRrcDd4emhDbXdtWEk4VjlCMjZZTU5ReXNaNzJrbXRrTGVwLzd6ZzR1RTkzTzB5SVB4OUQ2UEtta3BEcmQwcVNHSFNnWGVwRHR5RnhSdllQQXRTRkdPeGRuYWFkMkt2TlZlNzh1ekd2YzBLV3JSSGx4cTJrRHp6cnJZa24rTkNrUllPb2FYbVJZd1RPdFRldnNac3lKZDJhZnk2ckxoYVJFVnk2dzVqSEk1cjlFbGpaWUtFTXpSOVp6Smh0VVVJUm96TzNtaDU3WVF0OWZPZ1JYNlVFUkhCKzU5WWxWWDhEeTA3UlMwVTNtZlBJWmlYdEc1RjJ6MGVvY2FtSytjQVVZeTJDeDVYNkVBMDAyRjVWTmRsS055Ui9yYUhBczlUcEtqZWtMamJtVDg0aTFBaStibzNKWEFpeWtNQWI2S0dxZVZQN2Y2dERDRnNjaEZNQ1VKYnRxVjBUNUdLcU9QMkRZK3N3L2dsMVBVY0g5QjRSdTl6SE1lS0FONUVCMmtFcVJldDJXSEd0dzRwSVNmNEJ1TmJnUE9iQVJWVnRpSW9xQW53YW1tdi9OYmU0ZkdyU0xmRE9PWlhQeHUyd3ovVHBiMWoyS2J6a2ZSVFZUdXcrM3FRRjVWVzZXNHIveXJLTnJRenJzYTVGWDR2RHRibjVYZThQVTZ0V003YzdmOHc4REtpMmZZWU9mWTdtNHczT1hLV1NUcEQyV29sT0lRUTdHTWZnOXIxWi9yVFlSa0VFZm9XQUF3L2RTUHVMSjdkejQ1TjNucE9pVGZmY1NvQnlCVng3elg1dG9ocUpQM2JBY0E2K0tlS3ptalJZMTIxTHZEVENLMmZGRlpqY2JrdThxUURqR1dxaC9uOXd1S1JuN0ljVUphK0lRQ1BsOFN0aG5PWWFzMWk1WkdJc0tvMzV3Z2t2eEdzdDRsSm5UK09wWFo1dDNiNWtOOHJCRThqYm40NmNUMWtYaFNxSkQ1ZU4yd0x1MktMODhNTDV0bEJWVGwwZStYdWx3K1ZhR29yT2tWMlBlejEyQ2l2czZjdEJIY21Wem1yRlhEcG9ZR2lnTG5GNkpoMkRaYWZvaTdYRUIrWXQ3Sk80YSt4YktOczBQbVdkVTNMazB4NTE0cmVHNHJVS3l4RU53TkF2d2ZJK0FMYVZqSVB4eTZKMU93RzIxZ2hETHBKME5XelBPYVdjNWxhdDdOMzhtTVVobFVDb2VaWWFZUGFGeTZ6Rnc4cmpVSnAxVmR0VjNGUDZaTlRPRTRNVngrWmhYVGxiY0lHMFpFY1M2SHZnT2ZDbzJ1MFN1Tm5seFNoaFAyQzdWRXNpb0loY1RucHlGdFlNWWJ3NEVFbyt2ci9tMWh4NWwyY3RPMzNxN1pXdm5hYURSbnlsU04vZ0ZYOTk5ZGthTHh6N05ZWDl3UmhpdVdlTXZuM3VrSjVjNlZNZnJxOTkrTm04K2R5UGdGNjB1QUYzeXpVYjk5cVZrYTl1dWxzdFl5K0gyVWhZWkVoWlcxQmF2S2xlTGZFTkUySWtnT0l4NmNSTFBjYTJhSmhCWXR4K0hTNURXbjdxZ25FSFlMN09tR3V6RVNzR0o1RVdoMGh6QnJvZWk5RGNNZFgzNXJtNzZRZnAwVm9UZHpjMi9raEpUVUlLWWdYTVo2RWZ6WFl2Q0J5Z0ZYSnExdHR5OUdKTDM3dEIzcnpsallaTlgzZDQ0YWovNkVJaXN1RlBXTGRXcmpUMndGNWNuSU5YaStqd1JwSjFJTFQxTUNTMkNrWnFFYVdhc0JVTUcvQmxjYWtmUm1lWGc1bENUdld4aEVCQWdOdTFOZUtvellUaTdpWGdETzV2VDVtcGdRQTRPMWxpdEtWdjVjTDBQTmgvWGVNRDZWZkM5SmdRL2FEb3g4ajU5WXY5TkNzYyt2bEM5aFdxMEI3OG5KZ3ZQb1N4eENzSXYxb0RTNHZmRzAxUFRWVFBnSGtEMm82M2ZQaWxQOUR5eXpSVS9HMzhKT1Ivd2NCdDFUUTVoU2x0ZEdablJydk5KeFh4Q3VGWjlKQytSWG5Ub1hlTks0QnlzOWlhY05BTTVic3B2NHRRam9UR1BnOHVQbXJjZDRibjExUWVuMThaZGU4dlduNUhMMnV1TnZZUFdINEJORnVuZWp1b2JmMWU2Zmlxc1ZMY3Y3eDZicE1sSGNrODRuTE9PK2hHQlg4T2xVNWhSWWFkdFlqR0p1SHQ3bHN0bGR5U0RIdjVmTG9rdHdKcVBkN055UWZTRFlRZm4wc2NxNFRXQ1ZySDRQS0p1TUdPLzF4MUY2QnZQVHdTRjd5cUQyanBYQW5TRFEwbXB4V2hSLy9tY2phTGpnY2had1o0VGo0c2VlR3VuMEdxUVV6NElWdWtSUnp4Wk1mZlhlR0VveVZsOVM4UGZ6T0N2RmQ0bzRIcEE2S3pGTmtKL1RkVTc3Z3hxbFFFbmdWemxUc1NGenovOERNQyttaXVoVnJsZFdWSkM4RkN0VkZMc3dTeDVycXNBcCtJYmlKeGJmeXd6QlA1VHNHRkFqRnJLOHZIbEdUSlZpM0NSV0FTbnEzY0svMkdPaEYwcW1QaWJid2RBY2JJWjdtMWxPVGpaVlRjeGF4N0Y2WDZaL0E3cHRVc3M3TzdBUUM5aVZhanZMcmt0MGZqZlNkUXFPNlBlVERTZGV0S2hCbzRZeFpFK3dReTN0Z1BXQksrWm9UWlZMWkkrMmExd2kyQkNNemI5U1pOZzBBOHNsWVUxM0lUSHZtbWcrWXArT1FobnY5WWZsU0JaWWdYenRRRW56YWVpcWZZTGtFWHMyKzVTd2NQbytpcnExQ2QwVm84a2JxZnVNVHg5N2grZ3M3RUpNNVhlUmRQclMzWFRZR3pnVW1ndWs1enIxb0Era2ZWQ0MwdW91OXNZVDZKUTI5STFVYVRTbW5nS25BcXFDMDc5ZmJheitSeGgvQVRjcEhKMkZKWlpLbzhWSjNTUWJsZzg2a2o4YmxkS0lNWWoyN3VQVER4NDJiYTRUcEZ1M3ZGaGxhUEZ0dDZXdXN4UjNpL21TbXB4TzlhTHRYOWtVdmxOQjJEVjh5MHYzUzgvdlBPVS93b0pLWk02QnoxeFVVUVY1T3cwUWdpMEtBQk9lMmxEL0pDbTV0YXhMS3JNQ2hIc1lKeXJpOUM3ZlpMYkpCWDVYN2hENzB4ZjRWdzdDOGdjRzZpeGpsK0NBYUJrVG5pSmQvMlRFT1M2akdJeXFuRXBYa0U2dGVla01KUHdteXZIY1JCYVQwTTI0YUdZcHh3c2VkbHZFYTlzQUV2MkcwNGpHUVJCOW0rZlUwa3R2SXI3T285VTF0L0M1OGZiU0s1RlRiUUFlSXVrS3pmSENsWjRIb2NnYkRmQkVPWVpSeXZ1MHJoc2ZBYlJVLy9nS044c3R2VElGMml3QVdJMUJia25EeCsxM0owWVZrSXNBMEY2OU1NU3JITVhJNmFlZ1dtVGtQUW1pSTUwZzVSTHNSa1RMZ01sVVdQNXNHdThKNUttNElNODYrRDArVWhpalRLMVFsTXZhNHJMeVpvdndyZFRjWjcybXovQk1qUWYyV1JiMzkyZmlkS2VlQWNxY3BnZko3UEJLbG1XejV5eXFBUVJOU1hpWmRIMWtUVjYrOXpYMktVL3dPaHFXWFpWQjMxMUJDZlo0NXlTeVArVlJwU1VBV2JHakk3Q01PUHZ0bFNOMjZwd01ob1pXYzZ2QjF3a1RLaTRWRDdiQk9VVHFIVzFVRTkyWktyUGswNEtkcCt3L2Z1MzVCTlBpWlVvYjBXRGFoU3poQ0JpTXRzL2lua2VPYXhYa0FhcGZ5azl5MXFXV1ZFZW1FS2ZxODlaSlhsd0NtdDFBZWVmMWVCREVjK3lyV1FQckpoZG1xZkZaR3h6MjdQMk13eXduZGNZb0ZGRkIxakppdmxQbWJRdDNhWGR4L0JaUitoK1NqdTQ5YzZHYXFlZ0orbkhFRzlld2laZjRFMVFrd05NeGgvanNmSkxTUm81NnRSNWxXNnFSSWRVcXhCZ1Yrd1dDSitGeG9rMjA2TFVKaHh1SDRtNnFRb0NyVDV6S2xrcmVKRmpueHFjMVF0UWo3ejlIUkpaTGdzMWVpZDhOV2MxNjEvdEVaL1p0ODFUSzhxcGUwa3dRTXdZdEJRanJBa1RBbHBvYkFBaHNGcDlRUmwzV0JlUUhJNEd5eGNnQnEzczNTdkZZeXFOdnQ3Uzl4UGZ0bjloejRQd21rck1qaDBJM0RjeXBNVWowUTFIdUM0QmhBbkJIeVpyV3JMYkErTFZxRTFFelJWV3dCK2h0ZW42QlFaVk5sUnFNVktYTGxRRjd6M0tDMTYwTXN1RVNEUS91YXRHbU9rZTdnWUhTd0FtYTgyMGxITHF3eUpaMHFvOXZ3MnVtQTBQaFlwZnFlbmpmdWJlZkRxZXJabWZWSURtMzBMN1lESEJQc0p0Y1UxRmRHSHRwaWlnZHpiMklERlNvSkYxVmxLWXA0MjlYQS9YdzA5enRQRXVnWFlLdVZzNlN4Y1dpNjZIeENKV25pZ09rVzZoYk9CMXlBZExDWWQxZnY2bUFqZUsrMlpoUVhTY1lPbXhvL0ZJN2ZSVll3TkV4UWtmSjFTUFlVZFd6eGN3RVpnWE1kVjhlanhJQVBaOWZ1bVh6L0NER0QyUGtsN3lWdUtqUm9MT2FSc01Vd1dMQ3pidmczZGxSbGl6eEtnNkc1aCt4Tytldm1CRXVGdFhKMVQxMUg3UGVIN3ZjZkpXYWtOdkdDeVRJckt0OUpxTXphRTJPV2gxS1lMZVJxeVd0dllHcStLQ3lMQjc3azRnQmZ4dXRxb3lSNS9HQmhmQVlpOGhhbGw0YndUbmN5NHlnMzFoOWpXd0NIUzZFaFpTbTRkMXNTeWJwR3VyeFBLWEtOUGxnVHhOTkQ0KzR6bkRJNXMzYUk3b2tiQzYxM1UzQzdwa1BXQ2VnR2F6ek5SUXB3TDhFb1AyeGE5R0V1NVltbk5vdmxQOGdzM2pDZ3A3K3pwL3dsS1VLQldlQWNubmFPQVFMZlNVNlBzK1FLVW9UWXl1amh3VlZxRkI0RnowTTdyd3JuQnpRL2YvY3BEN0VucGRwU29kNWhwdDlZRUpKL2hzdXQ2K01NVW4xVHA3RnlaYkZDN3lkYlkxZkFiZ0c0TXoyOEtoc091M0Q0WEhWaGJoNHI4djljajMwUVRIOEcwVmxVdE5kYTBmeFVBSjBmM1JKdkZFaDdxaEtIeGVNMThkbEE0TGxWSDVESThLY2VNbDNPNWVXaGpGMjB5NjVyWDByMjdCc2hsVDRmaTlKd3VVUVFOb0FvOXlMdlpXVXBFTmhVczJKcG1wcDB3dGNsSkJZWWZnTkZMaTN0TWZBenBLUnVLWlJkSk9Yc2h0WWUveDdkMUFVTmhNQkxVUjZ6UnZWb21WUndZT2VRVHAyNTVLTytuSEdlR0E4K2dLYjdsTmRVVi9QdTh4M2lsYXZKNlFPSUwyTnM4Z295bE9MWWNWYWNtdk5VQTNYOXFtZkFrNWhPRkVvZktaTUtiSUhyV0RrL05EenRZd004OVRWdzFBYXNBS1ZqSitiSmdnc0F0Y2YvT2hJYWd0a3p1ckVRYU1rcUJPQUpLSWMvRTFWZlpXUFJKZHhPK1g2ZndscEtENTEzTGVZWWJIeFJ2YzJILzRMeTV0ZWRRbWNoYml2T2xGOWNoTmxFcFluS2RWNWgvZjNDTmp1VU80K1Uvc3h0eTZnb094blI3T09XalVnQT09\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\"> CyberChef<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/QCv_BX-wfuay74coAG2KtoKUV_fSbYInKTaWpNzHTK-KMnPblzBMb_lN8AbKkqcq1Q3vAxFKll4ZRG5Yx01J4E_dxb1kFBlGwsFNnAXAuGH2x2Kpd8rKzUNZjR8zWp4BS9Mt3e2eulvAIvO_pmDckPLi-RZbrT835cjH2iMCrnHWG3lVgj2N10HT1Q\" alt=\"Orcus configuration decrypted in CyberChef\n\"\/><\/figure>\n\n\n\n<p>As a result of decoding, we get the malware configuration in the XML format.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/g1dNqJYz826J_oOK76i16-QkDkPRVEMd1fbbGUFHBbKoN1Qp95kmTSXlsF-PQNNW4lrWg4FVbwBlfmHnG4N_HDDRiH9JxVd8KCPdrZepOoLqtnoNeMVT1rOvatUMA-i82Mp6vbP9Esevetf_S2FtE1zr8xBWqU21gvWGAQAtVEz8bsGijiO6FJgwog\" alt=\"Example of C2s properties in the decrypted XML config\" width=\"839\" height=\"802\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Automating the configuration extraction process of Orcus RAT<\/h3>\n\n\n\n<p>Now, we will write a Python script with the necessary data to decrypt and automate the configuration extraction. After studying some samples, we have seen that the strings with the encrypted data are located one after another in the UserString stream between two other specific UserString objects (the strings &#8220;case FromAdministrationPackage.GetScreen&#8221; and &#8220;klg_&#8221;).<\/p>\n\n\n\n<p>Next, using the <strong>dnfile<\/strong> library, we implement a simple algorithm that iterates through the UserStrings looking for the strings mentioned above. And it\u2019s important to note that the number of received strings between them must be three:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The main encrypted configuration of malware&nbsp;<\/li>\n\n\n\n<li>The encrypted configuration of the plugins that Orcus uses<\/li>\n\n\n\n<li>The key from which the AES key will be generated&nbsp;<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/jeiTJG8CJZE7ErgyITvjqZRTMz7UMJVcgXqOqVBzI25AilIiDFl4N_y6Tzx3gwhpOIWzSl5EqwAtejYOWEbmO18t9OJ-WfG3h5u_ZHNwoXp1h7oT4XGDuEOafX0haNjh6yfP2ZR5qkWEqBIebOgGWXe2MfCFQ6K9CNUKI5mNdo4kROOzRt-LltFqCQ\" alt=\"Encrypted data extraction algorithm written in Python\n\" width=\"829\" height=\"690\"\/><\/figure>\n\n\n\n<p>You can also always use<a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=orcus&amp;utm_content=landing\" target=\"_blank\"> ANY.RUN service<\/a> to automatically retrieve the Orcus RAT configuration. It\u2019s a much easier way to analyze a malicious object in a short period of time. For example, the sandbox has already retrieved all data from this <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/tasks\/55dce88d-b52c-4a51-b3c8-b8e6dcff0b13?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=orcus&amp;utm_content=task\" target=\"_blank\">Orcus sample<\/a>, so you can enjoy smooth research.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/-wqJfjTNEoahwZ6VPRutEyBfGYIxQTJTze9qa9Qd4Uj_UaATv73vqLgiGzFNqAvTenWTKWywqy3rmFGZvMomOkPQoN-c-ZgciM2k6vg06kO700K2-dxxJSILkA2eRwDoORKNXsaKfklNyom_5eCSysiKbh9JUnApEJlx0w05OE5wFEUc0fwjP58YTQ\" alt=\"Decrypted Orcus RAT configuration shown in ANY.RUN interactive sandbox\n\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion<\/h3>\n\n\n\n<p>In this article, we briefly analyzed the Orcus RAT and automated its configuration extraction. The<a href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Extractors\/OrcusRat\/OrcusRat.py?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=orcus&amp;utm_content=script\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\"> full version of the extractor<\/a> is available at the link, so don\u2019t forget to check it out!&nbsp;<br><\/p>\n\n\n\n<p>Orcus has become another chapter in our malware analysis series. Read our previous posts about <a href=\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">STRRAT<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Raccoon Stealer<\/a>. What should we cover next?<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The post blitz survey&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What is Orcus RAT?<\/li>\n<\/ul>\n\n\n\n<p>Orcus is a Remote Access Trojan that allows attackers to create plugins and offers a robust core feature.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Where and how does Orcus store additional assemblies?&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Orcus RAT stores additional assemblies inside the the malware resources using a &#8216;deflate&#8217; algorithm.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How does Orcus encrypt data?&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Orcus RAT encrypts data using the AES algorithm and then encodes encrypted data using Base64.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How can we decrypt Orcus RAT?<\/li>\n<\/ul>\n\n\n\n<p>First, you need to generate the key from a given string using Microsoft&#8217;s PBKDF1 implementation. Second, decode the data from Base64. Finally, apply the generated key to decrypt the data via the AES256 algorithm in CBC mode. As a result of decoding, we get the malware configuration in the XML format.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our malware analysts are always on the lookout for and researching various malicious samples. This time we came across Orcus RAT in ANY.RUN online malware sandbox and decided to perform a technical malware analysis. In this article, you will learn how this RAT stores and protects its configuration and how to write the memory dump [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3986,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[34],"class_list":["post-3978","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Orcus RAT Technical Malware Analysis and Configuration Extraction<\/title>\n<meta name=\"description\" content=\"Are you looking for Orcus RAT malware analysis? Read how it stores and protects configuration and how to write the memory dump extractor.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hardee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/\"},\"author\":{\"name\":\"hardee\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"What is Orcus RAT? Technical Analysis and Malware Configuration\",\"datePublished\":\"2022-11-03T06:00:36+00:00\",\"dateModified\":\"2023-03-27T13:57:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/\"},\"wordCount\":1118,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/\",\"name\":\"Orcus RAT Technical Malware Analysis and Configuration Extraction\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2022-11-03T06:00:36+00:00\",\"dateModified\":\"2023-03-27T13:57:30+00:00\",\"description\":\"Are you looking for Orcus RAT malware analysis? Read how it stores and protects configuration and how to write the memory dump extractor.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"What is Orcus RAT? Technical Analysis and Malware Configuration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"hardee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png\",\"caption\":\"hardee\"},\"description\":\"I contribute to open source from time to time and I am always up for a challenge.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Orcus RAT Technical Malware Analysis and Configuration Extraction","description":"Are you looking for Orcus RAT malware analysis? Read how it stores and protects configuration and how to write the memory dump extractor.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/","twitter_misc":{"Written by":"hardee","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/"},"author":{"name":"hardee","@id":"https:\/\/any.run\/"},"headline":"What is Orcus RAT? Technical Analysis and Malware Configuration","datePublished":"2022-11-03T06:00:36+00:00","dateModified":"2023-03-27T13:57:30+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/"},"wordCount":1118,"commentCount":1,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/","name":"Orcus RAT Technical Malware Analysis and Configuration Extraction","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2022-11-03T06:00:36+00:00","dateModified":"2023-03-27T13:57:30+00:00","description":"Are you looking for Orcus RAT malware analysis? Read how it stores and protects configuration and how to write the memory dump extractor.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"What is Orcus RAT? Technical Analysis and Malware Configuration"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"hardee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png","caption":"hardee"},"description":"I contribute to open source from time to time and I am always up for a challenge.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/3978"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=3978"}],"version-history":[{"count":10,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/3978\/revisions"}],"predecessor-version":[{"id":4616,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/3978\/revisions\/4616"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3986"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=3978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=3978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=3978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}