Think you have a false positive on this rule?

Sid 1-51532

Message

MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection

Summary

This event is generated when C2 traffic produced by BlackRAT is detected

Impact

A Network Trojan was detected

Detailed information

BlackRAT is a trojan that maintains contact with its C2 server by creating a sentinel file on the victim machine. It creates persistence by copying itself to multiple locations and can exfiltrate data to the C2 from the victim machine.

Affected systems

  • Windows 7-10

Ease of attack

False positives

None known.

False negatives

None known.

Corrective action

Please follow corporate malware remediation procedures. Enable the new rules to prevent future C2 call-outs.

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • www.virustotal.com/gui/file/6610e632758a0ae2ab9b259fe1f83236aff6b5bd485c3d4e3fd4995be68535bf/detection