Volver al hub

ROKRAT Malware APT 37

RoKRAT Malware – Injection & Steganography 🛠 High‑Level TTPs - Initial Access: Malicious .lnk files within compressed archives. - Execution & Persistence: PowerShell/BAT‑driven staged loaders with XOR decryption. Defense Evasion: Process injection into trusted Windows binaries & payload concealment via steganography. - Command & Control: Abuse of pCloud, Yandex Disk, and Dropbox APIs with embedded tokens to blend with legitimate traffic.

EDRhunting
FDR intermediatepor Aamir Muhammad (cql-hub.com) 1 min read

Query

in(field="#event_simpleName", values=[*ProcessRollup2,DnsRequest,*Written])
|case{
    in(field="SHA256HashData", values=["3fa06c290c477c133ca58512c7852fc998632721f2dc3a0984f18fbe86451e18","ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6","9eca7ab62e3ad40b79116ad713462e3ae4d9610345952e5dd279f0b481870d4f","7ee4326c5d0e6a30c1a9bdec045d670758fa1b36477992d61b03cb270113b196","e27467f7fdfa721e917384542ce10cc6108dfd78df14e23872cf8df916e0b8c6","7d514021c472e6e17f587ed30555d3f120653e6c7f8dc25d2331514b92ffd7bc","41d9b6d8cf0fff85bf35327d4b94db629cd9f754c487672911b7f701fe8c5539","6a2d984ef3fa0de9b9feb5f558381201e6dff42ef5efe4867fb24e47c6a2aade","bf7d5020dcd7777509b7b542255814cd61bfb1599d532dd2fdbb50de2ad70bc5","90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0","ca56720610400d6da773ffa4cce5b2447d4a665087604c9c6e1c9e71c048ccfc"],ignoreCase=true);
    in(field="DomainName", values=["*api.pcloud.com","*cloud-api.yandex.net","*dropboxapi.com"], ignoreCase=true);
    (ImageFileName= /mspaint.exe/iF) |in(field="ParentBaseFileName", values=["cmd.exe","powershell.exe"], ignoreCase=true);
    (ContextBaseFileName=/mspaint.exe/iF OR ContextBaseFileName=/notepad.exe/iF) | in(field="DomainName", values=["api.dropboxapi.com","dropboxapi.com","cloud-api.yandex.net"], ignoreCase=true);
    ContextBaseFileName=/rundll32.exe/iF FileName=/version1.0.tmp/iF
}
|groupBy([ComputerName,UserName,ProcessTree,CommandLine])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.