File Creation Related To RAT Clients

    Friday, December 27, 2024 In: Threat Research Print

    Date: 12/27/2024

    Severity: High 

    Summary

    Creation of .conf files associated with VenomRAT, AsyncRAT, and Lummac samples observed in the wild.

    Indicators of Compromise (IOC) List

    TargetFilename : 

    '\AppData\Roaming\'

    - '\mydata\'

    - '\datalogs\'

    - '\hvnc\'

    - '\dcrat\'

    - '\datalogs.conf'

    - '\hvnc.conf'

    - '\dcrat.conf'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    (resourcename = "Windows Security" and eventtype = "4663") and objectname IN ("\AppData\Roaming","\mydata","\datalogs","\hvnc","\dcrat","\datalogs.conf","\hvnc.conf","\dcrat.conf")

    Detection Query 2 : 

    (technologygroup = "EDR") and objectname IN ("\AppData\Roaming","\mydata","\datalogs","\hvnc","\dcrat","\datalogs.conf","\hvnc.conf","\dcrat.conf") 

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml


    Tags

    MalwareSigmaRATLummacVenomRATAsyncRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.