MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OrcusRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa
SHA3-384 hash: c94e4d8cee2a3c8c223ec7efafb06a769862fbe72937b3f1b3a6b8e4e1f664234e37f52e259fe72e384f1e216e0a3b48
SHA1 hash: a33ff98bfcb0b768bf2397876e85e28e1572ea98
MD5 hash: 88cabbe1a111d69040441904850ba4c0
humanhash: skylark-comet-summer-oranges
File name:5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa
Download: download sample
Signature OrcusRAT
Create hunting rule
File size:13'471'232 bytes
First seen:2025-07-31 12:15:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b354ab70390b43c45bdec9f5d7e2ac7a (1 x XenoRAT, 1 x OrcusRAT)
ssdeep 393216:6T5RUBTJyLIngEGQx+LnMLR/ZVVdhou9W6pzY5phIVzDJl3:KGuLInP+Lnmxvx9hxYD+5/
Threatray 60 similar samples on MalwareBazaar
TLSH T1E3D6334864EFCD59F6A907B3D8DA04462A415DEF01405F0489E8A7B22B2A87DFC3DD6F
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon f0f0ea29a9f2ec70 (1 x OrcusRAT)
Reporter JAMESWT_WT
Tags:exe OrcusRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
orcus
Create hunting rule
ID:
1
File name:
5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa
Verdict:
Malicious activity
Analysis date:
2025-07-31 13:29:41 UTC
Tags:
rat orcus upx delphi inno installer
Link:
https://app.any.run/tasks/9a27a72a-66cb-4304-a940-ddcc4f891e89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HiddenVNC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18074/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b5ead0b4775fb2133f625
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Creating a file
Launching a service
Creating a file in the Program Files subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Connection attempt to an infection source
Unauthorized injection to a recently created process
Enabling autorun for a service
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30f8c349-44dc-4607-9375-bc8bb8c6b1ad
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/88cabbe1a111d69040441904850ba4c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6zelntgc4qil2isvchw4it7ys53ts7dm47lqhm7dd4t7qwad75a._file
Verdict:
malicious
Label(s):
orcusrat
Create hunting rule
Similar samples:
32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153
OrcusRAT
6aeb38924cfb82f2dc74c5666280b1e46a0d338f32ee9055dd380ec1457e35f2
OrcusRAT
cb652ea9c878416e3c466c22fdfcc444fdff41109314251aee19fae7f4acc492
OrcusRAT
cc2edfb065cd802888100428da634d468212a2a6d3a567615eebfc527d9d03f1
OrcusRAT
error
OrcusRAT
+ 50 additional samples on MalwareBazaar
Result
Malware family:
orcus
Create hunting rule
Score:
  10/10
Tags:
family:orcus botnet:v0.3 defense_evasion discovery rat spyware stealer themida trojan upx
Link:
https://tria.ge/reports/250731-pfcpxshp6t/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Checks whether UAC is enabled
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Orcurs Rat Executable
Orcus
Orcus family
Orcus main payload
Malware Config
C2 Extraction:
de3.localto.net:1337
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/37bffe4e-a9ef-4df9-9223-b4e344c4257e
Unpacked files
SH256 hash:
5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa
MD5 hash:
88cabbe1a111d69040441904850ba4c0
SHA1 hash:
a33ff98bfcb0b768bf2397876e85e28e1572ea98
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
1dbb6027ac5e261951ed02941a8522e957b9a4fef86745db71c887c1a38b9f9c
MD5 hash:
9e79aaaf22e27b8c2f3e5171b40f80c8
SHA1 hash:
a8e5c4c517cfd77931e3aefe31a32f95220f1ca0
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
ae373904763cf06576a96304c680558799ba6db154512c980cdce9a5fc0187b4
MD5 hash:
25ef7b069bcdea9ac5fa9cbb68ade8eb
SHA1 hash:
2dccf33506838b90af72e1e68be4d4dbfbbdeb98
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
cc2edfb065cd802888100428da634d468212a2a6d3a567615eebfc527d9d03f1
MD5 hash:
c2f08fc8b8d529bab78b9a8fb1009ad5
SHA1 hash:
5a55fa536d64a60d5935cad44b046a3633aa725d
Detections:
win_orcus_rat_a0
Create hunting rule
OrcusRAT
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
Agenttesla_type2
Create hunting rule
win_orcus_rat_simple_strings_dec_2023
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
Parent samples :
cc2edfb065cd802888100428da634d468212a2a6d3a567615eebfc527d9d03f1
5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa
SH256 hash:
a60fa4ef1d5036b6b5848d97ee2aa4df11c497d84273a82594ecc1ead26bf6cb
MD5 hash:
4a84aea009f518b25d1757c2e43e4906
SHA1 hash:
1143052abb45771349950a9b1fc75ce43a27f74e
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
410be669b418c10f8b87fa95e01fb06fe157c4b22e3fce917b4de8df80b007d1
MD5 hash:
8ae873d989a19081e1411fb63dc9fb9e
SHA1 hash:
36b08d816e9a7c7ff866180bb43b0d33cf39170e
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
db3ca7be5b2bd49a1c69ae22a2eddabebe7f277b5e3b1f476497b8bbb39361c0
MD5 hash:
633d43f7b4e576511a3a04b0681af2b2
SHA1 hash:
45b730093e630e99698e2a53e12d53f1ea188b1d
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
979495b3d3c6ade85d1d03e380ddba31f4c1fb041b3a7d5ae20ccf79d59e45f9
MD5 hash:
1b7d9d13796a66d754a5142c1db04dbe
SHA1 hash:
8ad6c9ee703479693fdcb94263afc682cf5ec73e
Detections:
OrcusRAT
Create hunting rule
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
e77c3184d90f6e7a1276bb8389aba06296be97deb2e8a3433ca9a537538696da
MD5 hash:
7300211c571951be86be6c6f8cdfc09d
SHA1 hash:
5464e16689003406513c7677b3d970f673551d18
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
6b2fd99d6c766e7c0af92d1bb2f4f5195bbcb115bb6ea6c73915c9f8a2d9518f
MD5 hash:
103654034221141faefc532bdfb15cbb
SHA1 hash:
95111b5cf5c4c04aae8b67922414ca2b4aa191c1
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
60de2ea0cbf553e45e1efed2458aaed40e54cdb234494105e44f013fdc5bf124
MD5 hash:
92cd31d8f9556f8c87b7c079f7ea4574
SHA1 hash:
9d6ed1eb712d21868a7b87611888f1e651c80b75
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
2c06d012aa80f6c2df472181473e0d8f8848914245a6d6be295f4c62f4be2a58
MD5 hash:
72b69c457b5dfaaeb7607848ba0c0bea
SHA1 hash:
ec66e6ce0766b857d50ebc849004b9f4536de244
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
0c52d8a203ba92de6f937a7d458c24854951761ccbbc8d3961bc2b7923239c7c
MD5 hash:
c2a974c1e5972d8772207ef8f9c5e39c
SHA1 hash:
11e2bcc91e20b982e7967c164053f57a2840fcb6
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
e12b72a24d68d058f0eaaa7a415646079ac5fc030fd2dc4b1c0f154595cb67b1
MD5 hash:
87a08deedbe9493b5f1d8d918700b657
SHA1 hash:
5762d57101f3195ede11ac1f221fb6597e9657cd
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
MD5 hash:
913967b216326e36a08010fb70f9dba3
SHA1 hash:
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
SH256 hash:
4e13c02b6b9f9c9a099ca304a0dc0d0b93b6ec9f7356879c5049d986681ec032
MD5 hash:
bd20b72d830232a541f8aa639d205ae5
SHA1 hash:
890c1208950fb7062bc58f01cf796a4051866e51
Link:
https://www.unpac.me/results/18564afe-f2a8-4600-96b9-220eba523d94/
Malware family:
OrcusRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5fb245b66617/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/5fb245b666172085e912a88f6e227fc4bbb9cbe3673eb81d9f18f93fc2c01ffa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18074/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments