Extracted

• • Target

    cd50c9aed3db7c24472cf0a11bbeb8b5bc5262c255fea3018483fb347b656cd1

  • Size

    912KB

  • MD5

    b3b92d61c47974e2b4534a6b6dadc3fd

  • SHA1

    51543803f6c78b5369d719b604419acced0bf7cb

  • SHA256

    cd50c9aed3db7c24472cf0a11bbeb8b5bc5262c255fea3018483fb347b656cd1

  • SHA512

    6555440da95c24ecfb48672c2b1e92cdff8e5e33b5394139bcb9dd1a6c3e5b80caa3fe69b39580da9ee4c8ec4f4e7c80c51d2f4bd762b4dd96cbc3598c87569b

  • SSDEEP

    12288:R0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCObCOYPOlJVzKepke+w7dG1lFlz:YKa4MROxnFLHbrrcI0AilFEvxHPcooW

  Score

  10^/10

  orcuslois injkectordiscoverypersistenceratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2