1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
rule RAT_Orcus
{
meta:
author = " J from THL <j@techhelplist.com> with thx to MalwareHunterTeam"
date = "2017/01"
reference = "https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/"
version = 1
maltype = "RAT"
filetype = "memory"
strings:
$text01 = "Orcus.CommandManagement"
$text02 = "Orcus.Commands."
$text03 = "Orcus.Config."
$text04 = "Orcus.Connection."
$text05 = "Orcus.Core."
$text06 = "Orcus.exe"
$text07 = "Orcus.Extensions."
$text08 = "Orcus.InstallationPromptForm"
$text09 = "Orcus.MainForm."
$text10 = "Orcus.Native."
$text11 = "Orcus.Plugins."
$text12 = "orcus.plugins.dll"
$text13 = "Orcus.Properties."
$text14 = "Orcus.Protection."
$text15 = "Orcus.Share."
$text16 = "Orcus.Shared"
$text17 = "Orcus.StaticCommands"
$text18 = "Orcus.Utilities."
$text19 = "\\Projects\\Orcus\\Source\\Orcus."
$text20 = ".orcus.plugins.dll.zip"
$text21 = ".orcus.shared.dll.zip"
$text22 = ".orcus.shared.utilities.dll.zip"
$text23 = ".orcus.staticcommands.dll.zip"
$text24 = "HvncCommunication"
$text25 = "HvncAction"
$text26 = "hvncDesktop"
$text27 = ".InstallationPromptForm"
$text28 = "RequestKeyLogCommand"
$text29 = "get_KeyLogFile"
$text30 = "LiveKeyloggerCommand"
$text31 = "ORCUS.STATICCOMMANDS, VERSION="
$text32 = "PrepareOrcusFileToRemove"
$text33 = "ConvertFromOrcusValueKind"
condition:
13 of them
}