Extracted

• • Target

    de635998973b28697340850a75ba68f3ae3c853afc29ebcf5dad0687c63c4283

  • Size

    2.6MB

  • MD5

    67d518c9a2f94f0a9035762ea155c86f

  • SHA1

    40244558dabd707519ee925b0a69dfdf195f8fae

  • SHA256

    de635998973b28697340850a75ba68f3ae3c853afc29ebcf5dad0687c63c4283

  • SHA512

    4a660a1c885389ca485e25da4cafcb4a9e3a3e4109c5eef88299a617329c93c268ba4606fec5d57b8fa29362c5440bb73d0bb623ca1dced6e94705be11da2ecc

  • SSDEEP

    24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxB:Hh+ZkldoPKiYdqd6Z

  Score

  10^/10

  orcusligeonratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2