Extracted

• • Target

    ec81013356f732e7101bd4a32f41e9d7631b99ed8732da2578ee74287ab94792

  • Size

    1003KB

  • MD5

    81ad6b3664dae884564dfe58621b8619

  • SHA1

    0c60baed24e30b041bf4bf7aa94dbb3378f57f37

  • SHA256

    ec81013356f732e7101bd4a32f41e9d7631b99ed8732da2578ee74287ab94792

  • SHA512

    bb0a98096bf58cd44205e1e9448b98a3ab3d92d42608237236049a237223d4a5945f71e70469d6a4520cd5210b2bf04a9fbe86bcc9546e7ff145b8794fc67d14

  • SSDEEP

    24576:fNcBtkIdyi1+ANQwXGQ1PGbC67hCUq79VY:+1yiosQ+LPYCEY7s

  Score

  10^/10

  orcusdefense_evasiondiscoveryprivilege_escalationratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus family

    orcus

  • Orcus main payload

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops file in System32 directory

  behavioral1behavioral2