diff --git a/packs/win_malware.conf b/packs/win_malware.conf index 18e1be5..553e6a0 100644 --- a/packs/win_malware.conf +++ b/packs/win_malware.conf @@ -1853,6 +1853,15 @@ "windows" ] }, + "malware_darkme_registry": { + "query": "SELECT key as reg_key, path, name, data, datetime(mtime, 'unixepoch', 'UTC') as last_modified FROM registry WHERE key LIKE 'HKEY_USERS\\S-%\\Software\\Classes\\CLSID\\%\\ProgID' AND data LIKE 'NoProjectName.familytool';", + "interval": 86400, + "snapshot": true, + "description": "DarkMe is a remote access trojan (RAT) written in VB6. It is used by the Water Hydra threat actor group to access victim machines and registers the device to a remote command and control server.", + "platform": [ + "windows" + ] + }, "SugarGh0st RAT Registry Key Detected": { "query": "SELECT key, path, name, data, DATETIME(mtime, 'unixepoch', 'UTC') AS last_modified FROM registry WHERE key LIKE 'HKEY_USERS\\S-%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' AND name='CTFM0N.EXE';", "interval": 86400, diff --git a/win_malware/malware_darkme_registry.yaml b/win_malware/malware_darkme_registry.yaml new file mode 100644 index 0000000..3f51d44 --- /dev/null +++ b/win_malware/malware_darkme_registry.yaml @@ -0,0 +1,17 @@ +malware_darkme_registry: + query: 'SELECT key as reg_key, path, name, data, datetime(mtime, "unixepoch", "UTC") + as last_modified FROM registry WHERE key LIKE "HKEY_USERS\S-%\Software\Classes\CLSID\%\ProgID" + AND data LIKE "NoProjectName.familytool"' + interval: 86400 + snapshot: true + description: DarkMe is a remote access trojan (RAT) written in VB6. It is used by the Water Hydra + threat actor group to access victim machines and registers the device to a remote command + and control server. + references: + - https://www.virustotal.com/gui/file/d123d92346868aab77ac0fe4f7a1293ebb48cf5af1b01f85ffe7497af5b30738 + mitre_tactics: + - Persistence: TA0003 + mitre_techniques: + - Modify Registry: T1112 + platform: + - windows