Extracted

• • Target

    b402e2efc90f9e6f8752e6104476cc390abb2b5c5ecaa0c03e25e48dd89c0821

  • Size

    3.0MB

  • MD5

    35deb0c432d76b1e85a91f1ca01c669c

  • SHA1

    fed1cbcd8357d732d4d7519c0013d480a8fccc31

  • SHA256

    b402e2efc90f9e6f8752e6104476cc390abb2b5c5ecaa0c03e25e48dd89c0821

  • SHA512

    ad1c30fab0cb927dc6e682313aa25584db400d2595e58d520d71ff5ef83607460fb28eaec5cfb05c8abebc7d9d9bbbf0f97e0c043f9af94511b5fe88669d9610

  • SSDEEP

    49152:XGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:XLHTPJg8z1mKnypSbRxo9JCm

  Score

  10^/10

  orcusновый тегcredential_accessdiscoveryratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus main payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Suspicious use of SetThreadContext

  behavioral1behavioral2