Extracted

• • Target

    GuardianQA.xlsm

  • Size

    3.7MB

  • MD5

    f9379219193a6ad229cb99ea103240cc

  • SHA1

    d7776b47f7d16e66d52ff3d2cda8af982f713ea4

  • SHA256

    8258c96fcb836d6b29aa90529835ed1ee4fe6143bb5221459fe5e4a81b18d2e6

  • SHA512

    c8fcb2db9ecdc4aa7aefd42fc003f8bd8c2a60d1ee59a4a6d573c422812b861487b0c79fd99de4e773afa60ddd4b36a5ee447089a382ddfdfce4ffa82e661a76

  • SSDEEP

    98304:JjD7OuWRWu3nj7fH2a6AuxvczmQjj+xwT+aNaHmt:JjOuaWu3H2a6xeOMwmt

  Score

  10^/10

  discoveryorcusratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Orcurs Rat Executable

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  behavioral1behavioral2