Threat Hunting Content: SamoRAT Behavior

[post-views]
July 14, 2020 · 2 min read
Threat Hunting Content: SamoRAT Behavior

Today in the Threat Hunting Content section, we want to pay attention to the community rule released in Threat Detection Marketplace by Ariel Millahuel that detects fresh samples of SamoRAT malware: https://tdm.socprime.com/tdm/info/38LTISI1kgNm/w6aTR3MBQAH5UgbBM9Gi/?p=1

This remote access trojan appeared on the radars of researchers recently, the first SamoRAT samples were discovered about a month ago. The trojan is a .NET-based malware which is mainly used by cybercriminals to receive and execute different commands on the infected system. Like other remote access trojans, it is also capable of downloading and executing other malware and tools used by adversaries.

SamoRAT employs the use of anti-analysis check for detecting when it is being analyzed by AV systems, allowing it to change its behavior so that no alarms are triggered by the antivirus software. The trojan has the functionality to stop the Windows Defender process and disable its features by editing registries to avoid detection in run-time.  It also capable of running PowerShell commands to disable Windows Defender’s additional features. SamoRAT achieves persistence via scheduled tasks or modification of Windows registries (depending on administrator privileges for running at start-up). After gaining a foothold, the malware registers itself to the command-and-control server by sending a POST request and then makes one more POST request to the same address indicating that it is ready to receive commands. 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK:

Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (T1060)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Execution Tactic | TA0002
Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
PyVil RAT by Evilnum Group
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
JSOutProx RAT
Blog, Latest Threats — 2 min read
JSOutProx RAT
Eugene Tkachenko