Rewterz Threat Alert – Orcus RAT – Active IOCs

Severity

High

Analysis Summary

In the past few years Orcus was known as Schnorchel, is a Remote Access Trojan with some odd activity. This RAT enables 
attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the 
most dangerous malicious programs in its class. 
The ability of Orcus RAT 
 

• Keylogging and remote administration 
• Stealing system information and credentials 
• Taking screenshots, recording video from Webcams, recording audio from microphones, and disabling webcam light 
• Executing remote code execution and Denial-of-Service 
• Exploring/editing registry 
• Detecting VMs 
• Reverse Proxying 
• Real-Time Scripting 
• Advanced Plugin System

Impact

• Credential Theft
• Financial Loss

Indicators of Compromise

MD5

• 62bf6e161114369c52bb84d8eebbaeca
• 81ba2fbe02838c08fbc79dcb963f1777
• d40b8fe26a5c5cb3d39ff02d56c43a68
• 9a4972e4372c302bf85969304732e0f8
• ddb20cd523b6eb2e1ff55df6953c5122

SHA-256

• 07b05f0f4d4a4d712e89d6dfc4c861aa5346edd43490e0ee36eb85a1e34a90db
• 0df7b845c3217781ad7270f0c8a13c5e029c86c5ae6c72fe3ee717b8092170da
• 8a0f000f61da83359997bd346f3772a884e7cd04e0427892c0395f2071fab48c
• 93d823994ea015a5230e21d8a937264a42e1e595176100b924a585ba002b8181
• 53ae916a34b6c3efcc82000236ebb36bb175584319211f1f6c2f612f2b0b4472

SHA-1

• 422f8a2aa2a1b29f1bff63f09500c5df10c4a274
• ed39a4b1d6d842d4c3c0b8fefb7fe8426988bb5c
• ebf2347368e53c2151f211af2846547abbb6c5b3
• ec689744bc1fc095994e9a77156f0c947279063f
• d569bdee25417c0e48b2259ad6933615c91900b5

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.