Severity
High
Analysis Summary
In the past few years Orcus was known as Schnorchel, is a Remote Access Trojan with some odd activity. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
The ability of Orcus RAT
- Keylogging and remote administration
- Stealing system information and credentials
- Taking screenshots, recording video from Webcams, recording audio from microphones, and disabling webcam light
- Executing remote code execution and Denial-of-Service
- Exploring/editing registry
- Detecting VMs
- Reverse Proxying
- Real-Time Scripting
- Advanced Plugin System
Impact
- Credential Theft
- Financial Loss
Indicators of Compromise
MD5
- 2d5d22a5a13f781cb6ea6ad89b36e062
- 64ffc840705b1bda0155a798343f14ce
- 403990c6cbb042f7c1f5e57177272f81
- 0c27bb060b0984f0d8c261da4c737e98
- 9fd41cc16b97346718fdc8671fc6dd09
SHA-256
- d8eaafd814d423528e00245c9cff2aa9d300ea7ff830cd9a87b6c635857119ae
- fc8351c509bfd6fca2168f7b5652184ab4dd273ae85da25ee7ff500a8477b7de
- 42af92e5be37c1daddda7672372a39ccebb24d31d2ea65bec2a74dfbc3a4e82c
- a59f3e48d7996ee3f48216de0328c94a60a6407cf84986b943af832a598ae21b
- bc38597ef56584c9137244163ff62762da8f78e74ac6e98065e62f97272b0b72
SHA-1
- a2dde14dbd58f46f239152544edaa95c27cc0c59
- bd7972f34d6d0c502d6c3d34a66d824655cf8bc1
- ab9ef44ed7b93ecf7b6c43f23d75a3f2dc9d5a1b
- e535a0d4a8654bd44d8ea614bfaeaa4c75f7165a
- 41ff6596703303233ebe7fcbf321cede411b70f9
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.