Potential CSharp Streamer RAT Loading .NET Executable Image

Aug 12, 2024 · attack.command-and-control attack.t1219 ·

Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.

Sigma rule (View on GitHub)

 1title: Potential CSharp Streamer RAT Loading .NET Executable Image
 2id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
 3status: experimental
 4description: |
 5        Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
 6references:
 7    - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
 8    - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
 9author: Luca Di Bartolomeo
10date: 2024-06-22
11tags:
12    - attack.command-and-control
13    - attack.t1219
14logsource:
15    category: image_load
16    product: windows
17detection:
18    selection:
19        ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Key Takeaways In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install Scree…

Read More
https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/

Read More

Potential CSharp Streamer RAT Loading .NET Executable Image

Sigma rule (View on GitHub)

References

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/

Related rules