Today, in the Threat Hunting Rules category, we are pleased to present you a new rule developed by Ariel Millahuel, which detects Redaman RAT:

Redaman is a form of banking trojans distributed by phishing campaigns. It was first seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in 2017 and 2018.  In September 2019, researchers identified a new version of this malware that utilizes never seen before technique to hide Pony C&C server IP addresses inside the Bitcoin blockchain: the trojan connects to Bitcoin blockchain and chaining transactions in order to find the hidden C&C server.

A recently discovered version of Radaman trojan shows new behavior. It is related to modifying Root certificates and abusing the rundll32 execution in order to deploy malicious files. This malware is often used in malspam campaigns, and therefore its authors are constantly improving it and teaching new tricks.


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution, Defense Evasion, Persistence, Privilege Escalation

Techniques: Install Root Certificate (T1130), Scheduled Task (T1053)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko