Extracted

• • Target

    test.exe

  • Size

    3.0MB

  • MD5

    7b3150ddd3df859f8f6f36cb041b23f7

  • SHA1

    c3934ab76025c17cab3d309a96c1e32df9ad9d65

  • SHA256

    675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

  • SHA512

    a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214

  • SSDEEP

    49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

  Score

  10^/10

  orcusdefense_evasionevasionpersistenceprivilege_escalationratspywarestealertrojanexecution

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • UAC bypass

    evasiontrojan

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Hijack Execution Flow: Executable Installer File Permissions Weakness

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  behavioral1behavioral2behavioral3