Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Orcusrat
This detection identifies the Orcus Remote Access Trojan (RAT), a malicious program designed to grant an attacker unauthorized remote control over the infected system. Based on the evidence, its capabilities include spying on the user by taking screenshots, stealing data, and executing remote commands.
Relevant strings associated with this threat: - TakeScreenshot (PEHSTR_EXT)
rule Trojan_MSIL_Orcusrat_ADT_2147779931_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Orcusrat.ADT!MTB"
threat_id = "2147779931"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Orcusrat"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "15"
strings_accuracy = "High"
strings:
$x_4_1 = "Orcus" ascii //weight: 4
$x_4_2 = "KillButton_Click" ascii //weight: 4
$x_4_3 = "get_KeyLoggerService" ascii //weight: 4
$x_4_4 = "TakeScreenshot" ascii //weight: 4
$x_4_5 = "_keyboardHookHandle" ascii //weight: 4
$x_3_6 = "get_IcmpSockets" ascii //weight: 3
$x_3_7 = "IsATcpAnaylzerRunning" ascii //weight: 3
$x_3_8 = "set_AntiVMs" ascii //weight: 3
$x_3_9 = "set_AntiDebugger" ascii //weight: 3
$x_3_10 = "set_TaskSchedulerTaskName" ascii //weight: 3
condition:
(filesize < 20MB) and
(
((5 of ($x_3_*))) or
((1 of ($x_4_*) and 4 of ($x_3_*))) or
((2 of ($x_4_*) and 3 of ($x_3_*))) or
((3 of ($x_4_*) and 1 of ($x_3_*))) or
((4 of ($x_4_*))) or
(all of ($x*))
)
}2a5dafb98fd56a645d5a43453e6f3e0bcc04176987c851000929773e54b55cafIsolate the affected host from the network immediately. Use Windows Defender to quarantine and remove the detected threat. Investigate the initial access vector and scan for persistence mechanisms.