Potential CSharp Streamer RAT Loading .NET Executable Image

    Date: 08/02/2024

    Severity: High 

    Summary

    Identifies potential CSharp Streamer RAT by checking for a .NET executable with the default file name and path linked to the tool.

    Indicators of Compromise (IOC) List

    ImageLoaded

    \\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename = "Sysmon" and eventtype = "7" and  (imageloaded like "\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp")

    Detection Query 2

    resourcename = "EDR" and (imageloaded like "\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp")

    Category:  Sigma

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml

    https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections 

    https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ 


     

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags