Extracted

• • Target

    Orcus.exe

  • Size

    3.0MB

  • MD5

    37128f8c34f0e2112cb6c60d2fe8d4c6

  • SHA1

    42d4240892b4fcb2b5332fb70210238aa4070f6a

  • SHA256

    8667faa80b6d3e4126e5e9e60b6e2f755f5388c5554e7b6fd59bcd5a342326ad

  • SHA512

    f0387c7f8d4d74fc378599918cee295abf14e0cc3983a4e1681a7d40ba4b5af519a0bfec7244d2e081588590e421711dc412b3e32cb17c0a6b9db9a0d0656b88

  • SSDEEP

    49152:uBpEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmLNrZEu:uBptODUKTslWp2MpbfGGilIJPypSbxEt

  Score

  10^/10

  orcusrobloxdefense_evasiondiscoveryevasionpersistenceprivilege_escalationratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • UAC bypass

    evasiontrojan

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Hijack Execution Flow: Executable Installer File Permissions Weakness

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation

  • Drops file in System32 directory

  behavioral1behavioral2