csharp-streamer RAT (Malware Family)

csharp-streamer RAT

There is no description at this point.

References

2024-10-23 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman
Threat Spotlight: WarmCookie/BadSpace
Cobalt Strike csharp-streamer RAT WarmCookie

2024-10-23 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman
Highlighting TA866/Asylum Ambuscade Activity Since 2021
WasabiSeed Cobalt Strike csharp-streamer RAT Resident Rhadamanthys WarmCookie

2024-06-25 ⋅ HiSolutions ⋅ Nicolas Sprenger
How to detect the modular RAT CSHARP-STREAMER
csharp-streamer RAT

2023-12-06 ⋅ cyber.wtf blog ⋅ Hendrik Eckardt
The csharp-streamer RAT
csharp-streamer RAT

Yara Rules

[TLP:WHITE] win_csharpstreamer_w0 (20240628 | Detects decrypted csharp_streamer)

rule win_csharpstreamer_w0 {
    meta:
        description = "Detects decrypted csharp_streamer"
        author = "HiSolutions AG"
        reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer"
        sharing = "TLP:CLEAR"
        date = "2023-12-18"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer"
        malpedia_rule_date = "20240628"
        malpedia_hash = ""
        malpedia_version = "20240628"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $y1 = "csharp_streamer.Properties"
        $y2 = "csharp_streamer.Utils"
        $y3 = "csharp_streamer.ms17_10"
        $y4 = "csharp-streamer"
        $z1 = "iphlpapi.dll" ascii wide
        $z2 = "\\<title\\b[^>]*\\>\\s*(?<Title>[\\s\\S]*?)\\</title\\>" ascii wide
        $z3 = "MagicConstants.kSessionTerminate = ByteString.CopyFrom" ascii wide
        $z4 = "StartRalay"
        $d1 = "csharp-streamer.pdb"
    condition:
        uint16(0) == 0x5a4d and (3 of ($y*) or all of ($z*) or $d1)
}

Download all Yara Rules

csharp-streamer RAT Propose Change

References

Yara Rules

csharp-streamer RAT