IO Cs For Smart Ape SG Fake Browser Update Leads To Net Support RAT And Steal C
Query
let URL_IOCs =DeviceNetworkEvents
| extend method = tostring(parse_json(AdditionalFields).method), uri = tostring(parse_json(AdditionalFields).uri)
| where (method has "POST" and ("RemoteIP" startswith "62.164.130" or uri endswith "dll")) or RemoteUrl contains "cinaweine" or RemoteIP startswith "194.180.191" or RemoteUrl contains "poormet";
let FILE_IOC = DeviceFileEvents | where SHA256 has "47f59d61beabd8f1dcbbdd190483271c7f596a277ecbe9fd227238a7ff74cbfc" or SHA256 has "b71f07964071f20aaeb5575d7273e2941853973defa6cb22160e126484d4a5d3" or SHA256 contains "e9eb934dad3f87ee581df72af265183f86fdfad87018eed358fb4d7f669e5b7d" or FileName has "rtworkq.dll" or FileName has "misk.zip" or (FileName startswith "update " and FileName endswith "js") ;
let DLL_IOC = DeviceImageLoadEvents | where SHA256 has "021bb478b704abb95ac2040061b7d47d8e4b491e6d2633adb010c3b8b08bb4f4";
union URL_IOCs, FILE_IOC, DLL_IOCAbout this query
IOCs for SmartApeSG fake browser update leads to NetSupport RAT and StealC
Based on the post below posted by Palo Alto Networks Unit 42, I created a quick KQL query to detect potential matches with some of the IOCs related to distribution of hashtag#NetSupportRAT and hashtag#StealC malware. In some parts of the query, I use broader conditions instead of specifying exact DLL names or remote IP addresses. This approach helps extend detection capabilities in case the threat actor modifies file names or switches to a similar IP.
Explanation
This KQL query is designed to detect potential indicators of compromise (IOCs) related to the distribution of the NetSupport RAT and StealC malware. Here's a simplified breakdown of what the query does:
-
URL_IOCs: This part of the query looks at network events to identify suspicious activity. It checks for:
- HTTP POST requests where the remote IP address starts with "62.164.130" or the URI ends with "dll".
- URLs containing specific strings like "cinaweine" or "poormet".
- Remote IP addresses starting with "194.180.191".
-
FILE_IOC: This section examines file events to find suspicious files. It searches for:
- Files with specific SHA256 hash values.
- File names containing "rtworkq.dll" or "misk.zip".
- File names that start with "update " and end with "js".
-
DLL_IOC: This part checks for DLL files loaded into memory with a specific SHA256 hash value.
Finally, the query combines the results from these three parts (URL_IOCs, FILE_IOC, DLL_IOC) to identify potential matches with the IOCs related to the malware. By using broader conditions, the query aims to catch variations in file names or IP addresses that the threat actors might use to evade detection.
Details

Sergio Albea
Released: February 19, 2025
Tables
Keywords
Operators