Potential COLDSTEEL RAT File Indicators

    Wednesday, August 21, 2024 In: Threat Research Print

    Date: 08/21/2024

    Severity: High

    Summary

    Identifies the creation of a file called "dllhost.exe" in the "C:\users\public\Documents" directory, which has been observed in certain variants of the COLDSTEEL RAT.

    Indicators of Compromise (IOC) List

    TargetFilename

    'C:\users\public\Documents\dllhost.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (Resourcename in ("Sysmon") AND eventtype = "11") AND targetfilename = "C:\\users\\public\\Documents\\dllhost.exe"

    Detection Query 2

    (Technologygroup = "EDR" ) AND targetfilename = "C:\\users\\public\\Documents\\dllhost.exe"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml 

    https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf 


    Tags

    SigmaMalwareRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.