File Creation Related To RAT Clients

calendar Dec 19, 2024 · attack.execution  ·
Share on: linkedin copy

File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.

Sigma rule (View on GitHub)

 1title: File Creation Related To RAT Clients
 2id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
 3status: experimental
 4description: |
 5        File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
 6references:
 7    - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
 8    - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
 9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2024-12-19
11tags:
12    - attack.execution
13logsource:
14    category: file_event
15    product: windows
16detection:
17    # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
18    # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
19    selection_required:
20        TargetFilename|contains: '\AppData\Roaming\'
21    selection_variants:
22        TargetFilename|contains:
23            - '\mydata\'
24            - '\datalogs\'
25            - '\hvnc\'
26            - '\dcrat\'
27        TargetFilename|endswith:
28            - '\datalogs.conf'
29            - '\hvnc.conf'
30            - '\dcrat.conf'
31    condition: all of selection_*
32falsepositives:
33    - Legitimate software creating a file with the same name
34level: high

References

Related rules

to-top