orcus | Orcus[.]Administration[.]exe | Triage

Sharing

General

Target

Orcus.Administration.exe
Size

16.2MB
MD5

47c82b9e924c42876d6d4e40908888f7
SHA1

b3ef96ff2f1833ffd332c5246e34ebdd47c7e250
SHA256

26d5dadb8fec5f13b488f0532dbcf4d9cb4331ad1b7e7277ac9331fa39275528
SHA512

83f41c85b51df8d80bc2b63f89d497fe979d340607137b7822b80b8da9f5fa3b9e358554ceedb807a29a38828c331a93f1f32569a66065a2b09c5d572764a9c0
SSDEEP

393216:apC4606R60B8vYfZ9DfZ9DSK7SftLaeH+:NJOcPLPte

Score

10^/10

orcus

Malware Config

Signatures

Orcurs Rat Executable 1 IoCs

Processes:

resource	yara_rule
sample	orcus

Orcus family
orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
Orcus.Administration.exe

Files

Orcus.Administration.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\Reversing\Reverse Folder\Orcus1.3.1.Cracked.By.Wardow\Orcus1.3.1.Cracked.By.Wardow\Orcus.Administration.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 16.1MB - Virtual size: 16.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 145KB - Virtual size: 145KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ