Extracted

• • Target

    890a02f4e0c8bc09cfad53b688ad04016d8c78e94514e69684323598aabd6361

  • Size

    933KB

  • MD5

    46418e78f2b8d6b8ff8069610f499921

  • SHA1

    529fbc61339cf988b2d98a25a30bc548019c0125

  • SHA256

    890a02f4e0c8bc09cfad53b688ad04016d8c78e94514e69684323598aabd6361

  • SHA512

    1b1d97a413b0f2de21d056aac047c2f279a5b3c7314513a4f983262fb03eede5f065aaa2d02943b964dd9c4306db5f84a50889a280c6c2da97a94359a224ef69

  • SSDEEP

    24576:yRP4MROxnFKj3wyv/rrcI0AilFEvxHPUooS:yyMi4TwurrcI0AilFEvxHP

  Score

  10^/10

  orcusvgbndefense_evasiondiscoveryevasionpersistenceprivilege_escalationratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • UAC bypass

    evasiontrojan

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Hijack Execution Flow: Executable Installer File Permissions Weakness

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation

  • Drops file in System32 directory

  behavioral1behavioral2