Extracted

• • Target

    79c7e85a85d1e1ac4f606dfc86ad5a42ad4efed87025497bb4c8f6c633e4c970

  • Size

    11.4MB

  • MD5

    ff89d18d0a8bf7a26b63518d6c522cb5

  • SHA1

    8ef17282972234b1761adebaff024edcdfaabbde

  • SHA256

    79c7e85a85d1e1ac4f606dfc86ad5a42ad4efed87025497bb4c8f6c633e4c970

  • SHA512

    ff79cf2b7a01fd7dfd9a889e5faa09583f276c370bc603b1baa1eef5f47ea747f6acf02a04f6b00ff08dfd0f7f6178f72396170094a9753070f21db6c2f9a1dc

  • SSDEEP

    196608:qdk0W8/9E6DY8XMCHGLLc54i1wN+lPIcu9KYK39srRqZksfidSEo3PP/NMRRcHx3:sW81LXMCHWUjqcuIOeTd9/P/N9B

  Score

  10^/10

  orcusvgbndefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallerratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • UAC bypass

    evasiontrojan

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Hijack Execution Flow: Executable Installer File Permissions Weakness

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation

  • Drops file in System32 directory

  behavioral1behavioral2