EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

ROKRAT Malware APT 37

RoKRAT Malware – Injection & Steganography 🛠 High‑Level TTPs - Initial Access: Malicious .lnk files within compressed archives. - Execution & Persistence: PowerShell/BAT‑driven staged loaders with XOR decryption. Defense Evasion: Process injection into trusted Windows binaries & payload concealment via steganography. - Command & Control: Abuse of pCloud, Yandex Disk, and Dropbox APIs with embedded tokens to blend with legitimate traffic. [Genians Blog - RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies](https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic) Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/ROKRAT-Malware-APT-37.md)

Detection Query

in(field="#event_simpleName", values=[*ProcessRollup2,DnsRequest,*Written])
|case{
    in(field="SHA256HashData", values=["3fa06c290c477c133ca58512c7852fc998632721f2dc3a0984f18fbe86451e18","ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6","9eca7ab62e3ad40b79116ad713462e3ae4d9610345952e5dd279f0b481870d4f","7ee4326c5d0e6a30c1a9bdec045d670758fa1b36477992d61b03cb270113b196","e27467f7fdfa721e917384542ce10cc6108dfd78df14e23872cf8df916e0b8c6","7d514021c472e6e17f587ed30555d3f120653e6c7f8dc25d2331514b92ffd7bc","41d9b6d8cf0fff85bf35327d4b94db629cd9f754c487672911b7f701fe8c5539","6a2d984ef3fa0de9b9feb5f558381201e6dff42ef5efe4867fb24e47c6a2aade","bf7d5020dcd7777509b7b542255814cd61bfb1599d532dd2fdbb50de2ad70bc5","90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0","ca56720610400d6da773ffa4cce5b2447d4a665087604c9c6e1c9e71c048ccfc"],ignoreCase=true);
    in(field="DomainName", values=["*api.pcloud.com","*cloud-api.yandex.net","*dropboxapi.com"], ignoreCase=true);
    (ImageFileName= /mspaint.exe/iF) |in(field="ParentBaseFileName", values=["cmd.exe","powershell.exe"], ignoreCase=true);
    (ContextBaseFileName=/mspaint.exe/iF OR ContextBaseFileName=/notepad.exe/iF) | in(field="DomainName", values=["api.dropboxapi.com","dropboxapi.com","cloud-api.yandex.net"], ignoreCase=true);
    ContextBaseFileName=/rundll32.exe/iF FileName=/version1.0.tmp/iF
}
|groupBy([ComputerName,UserName,ProcessTree,CommandLine])

Author

Aamir Muhammad

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: ROKRAT Malware APT 37

# Description of what the query does and its purpose.
description: |
  RoKRAT Malware – Injection & Steganography 
  🛠 High‑Level TTPs
  - Initial Access: Malicious .lnk files within compressed archives. 
  - Execution & Persistence: PowerShell/BAT‑driven staged loaders with XOR decryption. Defense Evasion: Process injection into trusted Windows binaries & payload concealment via steganography. 
  - Command & Control: Abuse of pCloud, Yandex Disk, and Dropbox APIs with embedded tokens to blend with legitimate traffic.

# The author or team that created the query.
author: Aamir Muhammad

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  in(field="#event_simpleName", values=[*ProcessRollup2,DnsRequest,*Written])
  |case{
      in(field="SHA256HashData", values=["3fa06c290c477c133ca58512c7852fc998632721f2dc3a0984f18fbe86451e18","ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6","9eca7ab62e3ad40b79116ad713462e3ae4d9610345952e5dd279f0b481870d4f","7ee4326c5d0e6a30c1a9bdec045d670758fa1b36477992d61b03cb270113b196","e27467f7fdfa721e917384542ce10cc6108dfd78df14e23872cf8df916e0b8c6","7d514021c472e6e17f587ed30555d3f120653e6c7f8dc25d2331514b92ffd7bc","41d9b6d8cf0fff85bf35327d4b94db629cd9f754c487672911b7f701fe8c5539","6a2d984ef3fa0de9b9feb5f558381201e6dff42ef5efe4867fb24e47c6a2aade","bf7d5020dcd7777509b7b542255814cd61bfb1599d532dd2fdbb50de2ad70bc5","90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0","ca56720610400d6da773ffa4cce5b2447d4a665087604c9c6e1c9e71c048ccfc"],ignoreCase=true);
      in(field="DomainName", values=["*api.pcloud.com","*cloud-api.yandex.net","*dropboxapi.com"], ignoreCase=true);
      (ImageFileName= /mspaint.exe/iF) |in(field="ParentBaseFileName", values=["cmd.exe","powershell.exe"], ignoreCase=true);
      (ContextBaseFileName=/mspaint.exe/iF OR ContextBaseFileName=/notepad.exe/iF) | in(field="DomainName", values=["api.dropboxapi.com","dropboxapi.com","cloud-api.yandex.net"], ignoreCase=true);
      ContextBaseFileName=/rundll32.exe/iF FileName=/version1.0.tmp/iF
  }
  |groupBy([ComputerName,UserName,ProcessTree,CommandLine])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  [Genians Blog - RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies](https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic)
  
  Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/ROKRAT-Malware-APT-37.md)