Create RAT_Orcus

malware/RAT_Orcus

+rule RAT_Orcus 
+{
+
+    meta:
+        author = " J from THL <j@techhelplist.com> with thx to MalwareHunterTeam"
+        date = "2017/01"
+        reference = "https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/"
+        version = 1
+        maltype = "RAT"
+        filetype = "memory"
+
+    strings:
+        $text01 = "Orcus.CommandManagement"
+        $text02 = "Orcus.Commands."
+        $text03 = "Orcus.Config."
+        $text04 = "Orcus.Connection."
+        $text05 = "Orcus.Core."
+        $text06 = "Orcus.exe"
+        $text07 = "Orcus.Extensions."
+        $text08 = "Orcus.InstallationPromptForm"
+        $text09 = "Orcus.MainForm."
+        $text10 = "Orcus.Native."
+        $text11 = "Orcus.Plugins."
+        $text12 = "orcus.plugins.dll"
+        $text13 = "Orcus.Properties."
+        $text14 = "Orcus.Protection."
+        $text15 = "Orcus.Share."
+        $text16 = "Orcus.Shared"
+        $text17 = "Orcus.StaticCommands"
+        $text18 = "Orcus.Utilities."
+        $text19 = "\\Projects\\Orcus\\Source\\Orcus."
+        $text20 = ".orcus.plugins.dll.zip"
+        $text21 = ".orcus.shared.dll.zip"
+        $text22 = ".orcus.shared.utilities.dll.zip"
+        $text23 = ".orcus.staticcommands.dll.zip"
+        $text24 = "HvncCommunication"
+        $text25 = "HvncAction"
+        $text26 = "hvncDesktop"
+        $text27 = ".InstallationPromptForm"
+        $text28 = "RequestKeyLogCommand"
+        $text29 = "get_KeyLogFile"
+        $text30 = "LiveKeyloggerCommand"
+        $text31 = "ORCUS.STATICCOMMANDS, VERSION="
+        $text32 = "PrepareOrcusFileToRemove"
+        $text33 = "ConvertFromOrcusValueKind"
+
+    condition:
+        13 of them
+}