Extracted

• • Target

    newResultprot.exe

  • Size

    3.3MB

  • MD5

    3ee4cc4a7fe52761e3cb486a6c2d8e3e

  • SHA1

    c96c9bcdcc57cfc497f4b831398145b307c42b73

  • SHA256

    ece849a1ae5c71db8aaac5ad98d2022e05448083120ff3f1f758c2c020d1d03e

  • SHA512

    848e1a6dde72c3e3bdecdfb9bbe8e8e9d126fed1996a95b0294f18aee19f23c61a0d8a8947294a3a01f587edf37a59df11ce249611effd54832cbad940398515

  • SSDEEP

    98304:F49p/IqTL48s8QLbr4jYgc3TZyd2H+L05kJj9878I:Fm5xzgLQjYg6NsvrGQ

  Score

  10^/10

  orcusisehaaacollectionpersistenceratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus main payload

  • Orcurs Rat Executable

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2