Extracted

• • Target

    ef47077fe683334bfcabf37fa2ff8df4054f7fdd21f59590d9d84334aba5f21d

  • Size

    920KB

  • MD5

    ddf3a197325d4a0194bc900a39c77031

  • SHA1

    f74bb0c2af01c5fea37b7380e76ec4dfb46ff120

  • SHA256

    ef47077fe683334bfcabf37fa2ff8df4054f7fdd21f59590d9d84334aba5f21d

  • SHA512

    03db27c414b636a378818c6675531d301686bb41d44ff0f394e9a95661656cd421d8b39029904f64e3dd768818706465db473bc042fdaded5408970b119ee8d2

  • SSDEEP

    24576:7eu4MROxnFZ3WkTZcrZlI0AilFEvxHiyyww:7etMi7qrZlI0AilFEvxHi

  Score

  10^/10

  orcusdiscoverypersistenceratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  behavioral1behavioral2