Extracted

• • Target

    BoostWare.exe

  • Size

    9.6MB

  • MD5

    1dc82cdf4c25c697678c3d95e12c494a

  • SHA1

    7e52934ffb36810cc3ed9974e7f650a9f2e1ba2e

  • SHA256

    5cf6ff4162d3eb61d3877ca0f2ab3174b95e210a8424134d4bc8698ba33e0ff3

  • SHA512

    5531feda823aa5d73f3538b22731dd54b93e15da9ce4f3e52ec380e99b52dcb7ad269fd532784a92b76deb8c2365cc190b8f784c18af7f4115612df01272ac2c

  • SSDEEP

    196608:XDPBJeZiU597HSECgB3Io5kG8s/CjAWmRYsDb7dXkDoJNrEiKkQQCncv:XFQZig97y0B375GIC0Qs8ovrEXcv

  Score

  10^/10

  orcusfortnitedefense_evasiondiscoverypersistenceratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  behavioral1behavioral2