Date: 08/02/2024
Severity: High
Summary
Identifies potential CSharp Streamer RAT by checking for a .NET executable with the default file name and path linked to the tool.
Indicators of Compromise (IOC) List
ImageLoaded | \\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | resourcename = "Sysmon" and eventtype = "7" and (imageloaded like "\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp") |
Detection Query 2 | resourcename = "EDR" and (imageloaded like "\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp") |
Category: Sigma
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml
https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/