Extracted

• • Target

    7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a

  • Size

    16.3MB

  • MD5

    608e4e58655dfb340770b4a7054a8093

  • SHA1

    5d054922ace64de66017d8d27c3b7206683d19b4

  • SHA256

    7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a

  • SHA512

    b506dbae0986e567b78fcc1da2760f08e1337321165aaf6e367039152ee14b498d44faa2c920763883d69cb139813db0d612b311aae0bd330013230f6f3668b3

  • SSDEEP

    393216:C20EjcTK84e3km6NsO9l1dy1JCcYSwOshouIkPftRL54lR+:eE4CsAsWyDYSRwouTtRLf

  Score

  10^/10

  orcusfunpaydiscoveryratspywarestealerupxexecution

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • Orcurs Rat Executable

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2