{ "id": "e0e3cd2a-b687-4e84-90f3-6d2801223bc2", "created_at": "2026-04-06T02:12:12.098234Z", "updated_at": "2026-04-10T03:29:39.938548Z", "deleted_at": null, "sha1_hash": "298101821b6b52ac6c12254de806b87efa15f260", "title": "How to detect the modular RAT CSHARP-STREAMER", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100109, "plain_text": "How to detect the modular RAT CSHARP-STREAMER\r\nBy Nicolas Sprenger\r\nPublished: 2024-06-25 · Archived: 2026-04-06 01:38:47 UTC\r\nSummary\r\nThe malware known as CSHARP-STREAMER is a Remote Access Trojan (RAT) developed in .NET. It has\r\nbeen deployed in numerous attacks over the past few years. Reports have mentioned its deployment during\r\nattacks orchestrated by REvil. However, during our casework we were able to observe the threat actor behind the\r\nransomware Metaencryptor using CSHARP-STREAMER. Based on our visibility we assume, that\r\nMetaencryptor shows a special interest in IT service providers.\r\nKey Takeaways\r\nHiSolutions successfully identified distinctive patterns within the CSHARP-STREAMER malware,\r\naiding in the identification of specific malware samples.\r\nWe confirmed the modular structure of CSHARP-STREAMER. This customization could be driven by\r\ntheir business model, which might involve payment for specific features, or as a strategy to minimize the\r\nchances of detection and analysis.\r\nThe usage of the RAT has massively increased in Q3 2023.\r\nHiSolutions is able to share extra detection rules to support the detection of components of the\r\ndeployment kit.\r\nPrevalence and Initial Analysis\r\nOur investigation into the CSHARP-STREAMER malware was triggered by a ransomware incident that\r\nalso included the deployment of „Metaencryptor“ ransomware. Throughout the forensic examination,\r\nHiSolutions identified a Powershell loader responsible for loading, decrypting, and executing the RAT. There is\r\npublic documentation linking CSHARP-STREAMER with other campaigns beyond Metaencryptor.\r\nFortgale attributes the usage to REvil\r\nArista mentions usage in Operation White Stork\r\nGDATA ADAN provided a public report, even though in their case, no further malware was deployed.\r\nThe DFIR-Report identified the RAT during an deployment of ALPHV-Ransomware.\r\nThe identified Powershell loader itself, especially the AMSI-Memory-Bypass and the XOR-decryption\r\ncomponent, consists of publicly available proof-of-concepts, shared by several security researchers. The\r\nAMSI-Memory-Bypass is a perfect copy of a script posted on Github in August 2022. The security researcher\r\n“GetRektBoy724” originally published the XOR-decryption part in 2021.\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 1 of 10\n\nAs mentioned above, GDATA ADAN had already published a report regarding the CSHARP-STREAMER\r\ntoolchain, also mentioning the re-use of code, available in the public domain. The feature-set of the CSHARP-STREAMER malware in our case differs from the sample GDATA ADAN was able to analyze. „Their“ sample\r\ncame with a MegaUpload client and with ICMP for C2-Communication, whereas the sample analyzed by us came\r\nwithout a MegaUpload client and without ICMP for C2-Communication.\r\nWe can confirm the usage of the RAT’s TCP relay functionality. Using this feature, the threat actors were\r\nable to move from one network to another more carefully protected network.\r\nThe usage of the TCP function leaves some traces, providing opportunities for forensic investigation: This leads to\r\nvisible traces in Windows Eventlogs in the form of EventID 2004 and the creation of a distinct firewall rule by\r\n\"C:\\\\Windows\\System32\\netsh.exe\": \"Inbound TCP Port 6667\" . This behaviour (creation of firewall rule via\r\nnetsh ) is already covered by a publicly available SIGMA-rule, written by Michel de Crevoisier. The threat\r\nactors used the feature not on a large scale, but only in situations, where they had to close a gap between\r\ndifferent parts of the affected organizations network.\r\nIn total, we were able to identify the following modules in the sample initially identified by us:\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 2 of 10\n\nADUtils\r\nExecuteAssembly\r\nFiletree\r\nHttpServer\r\nKeylogger\r\nLineParser\r\nPsExec\r\nRelay\r\nRunAs\r\nSendfile\r\nSget\r\nSmbLogin\r\nWget\r\nSpawn\r\nDuring the attack, Metaencryptor immediately used the Relay-Feature on specific machines and enumerated the\r\nusers of the domain with Windows Powershell scripts instead of using CSHARP-STREAMER’s comprehensive\r\ntoolset. The reconstructed process-tree confirmed that the attacker used the RAT mainly for running a\r\ndiverse set of Powershell scripts.\r\nEvolution of Malware\r\nThe fact, that our sample differed from the one GDATA ADAN analyzed, led us the the assumption, that\r\nCSHARP-STREAMER is modularized and assemblied for a specific use case. The reasoning behind that is\r\nunclear, but two explanations come to mind: CSHARP-STREAMER might be a malware-as-a-service, where\r\ncustomers have to pay per feature. Another possible explanation is, that the malware authors wanted to reduce the\r\npossibility of analysis and detection, by reducing the detection and analysis possibilities. We were not able to rule\r\nout either of the options. Since we wanted to gain a more complete overview of the overall capability of\r\nCSHARP-STREAMER we tried to find further samples, to get a more comprehensive overview.\r\nTo our knowledge, first in the wild samples of the malware surfaced in the second half of 2020. From our\r\npoint of view, these are propably early development version of CSHARP-STREAMER. Some of these\r\nsamples contain pdb-paths. The „ csharp_streamer.Relay “-Library differs codewise from the main\r\n„ csharp_streamer “-Library by incorporating Chinese strings. While earlier samples from 2019 contain a PDB-Path and are declared as Version 1.0.0.0, actual samples contain ascending Version-Numbers (2.10.8515.16637 –\r\n2.10.8700.7258).\r\nThe analysis of samples shows that there are two main different configurations of CSHARP-STREAMER used in\r\nthe wild, one with the MegaUpload-Client and one without. While we couldn’t identify samples from the year\r\n2022, we are confident that CSHARP-STREAMER was also in active use during this timeperiod.\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 3 of 10\n\nThe observed uptick of the RATs usage in August 2023 also marks the beginning of Metaencryptor‘s\r\npublishing of victims (12 in August, 1 in September, 2 in November, 1 in December) and LostTrusts trove of\r\n53 victims in August.\r\nAs mentioned by Fortgale the RAT has also been used in 2021 by REvil/GoldSouthfield and by an unknown\r\nThreat-Actor in Summer 2022 accordingly to Arista. While we can see an overlap in TTPs with Arista‘s report in\r\nour case (similar staging-directories and tooling) we are not confident in attributing both attacks to the same threat\r\nactor. The switch in TTPs in the incident handled by us suggests the work of an inital access-broker which\r\ngave MetaEncryptor access to the environment. The compilation timestamp of GData‘s samples also correlates\r\nwith the occurence of new C2-Infrastructure in early 2023. In combination with the utilization of the RAT by\r\nmultiple actors and in at least three (Mega, Mega + ICMP, Basic) different configurations, we expect that the\r\nmalware is provided as a service to ransomware groups. The recent publishing of „The DFIR-Report“ identifies\r\nthe RAT during an attack of ALPHV.\r\nDetection and Response\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 4 of 10\n\nEarly development-samples contain the PDB-path „ D:\\Devel\\csharp-streamer\\csharp-streamer\\obj\\Release\\csharp-streamer.pdb “. Additionally, the malware contains some specific strings with\r\ntypos, like „ListRalays “ which can aid in detection.\r\nThus, we can provide a Yara-Rule, helping with the identification of known samples. Please note, that in\r\ncases known to us, the sample was loaded only in memory, not on disk.\r\nAdditionally detection mechanisms involve:\r\nPowershellScriptBlock-Logging\r\nThe creation of firewall-rules by netsh.exe\r\nMultiple static strings which can be found in memory\r\nThe use of CSHARP-STREAMER‘s user agent „ websocket-sharp/1.0 “\r\nSpecific Web-Requests (see headers below)\r\nTTP and Detection Rules\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 5 of 10\n\nThe following rules are shared as TLP:CLEAR.\r\nYara Rule\r\nrule CSHARP_STREAMER {\r\n meta:\r\n description = \"Detects decrypted csharp_streamer\"\r\n author = \"HiSolutions AG\"\r\n reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer\"\r\n sharing = \"TLP:CLEAR\"\r\n date = \"2023-12-18\"\r\n score = 100\r\n strings:\r\n $y1 = \"csharp_streamer.Properties\"\r\n $y2 = \"csharp_streamer.Utils\"\r\n $y3 = \"csharp_streamer.ms17_10\"\r\n $y4 = \"csharp-streamer\"\r\n $z1 = \"iphlpapi.dll\" ascii wide\r\n $z2 = \"\\\\\u003ctitle\\\\b[^\u003e]*\\\\\u003e\\\\s*(?\u003cTitle\u003e[\\\\s\\\\S]*?)\\\\\u003c/title\\\\\u003e\" ascii wide\r\n $z3 = \"MagicConstants.kSessionTerminate = ByteString.CopyFrom\" ascii wide\r\n $z4 = \"StartRalay\"\r\n $d1 = \"csharp-streamer.pdb\"\r\n condition:\r\n uint16(0) == 0x5a4d and (3 of ($y*) or all of ($z*) or $d1)\r\n}\r\nSIGMA Rule\r\ntitle: Potential csharp_streamer Powershell-Loader\r\nid: 77bdea07-634c-49ad-96d3-03736882b914\r\nstatus: test\r\ndescription: Detects Powershell-Loader as seen with csharp_streamer.\r\nreferences:\r\n - none\r\nauthor: HiSolutions AG\r\ndate: 2023/12/18\r\ntags:\r\n - tlp.white\r\n - attack.t1562.001\r\n - attack.t1059.001\r\nlogsource:\r\n product: windows\r\n category: ps_script\r\n definition: 'Requirements: Script Block Logging must be enabled'\r\ndetection:\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 6 of 10\n\nps_script:\r\nEventID: 4104\r\n Channel:\r\n - Microsoft-Windows-PowerShell/Operational\r\n - PowerShellCore/Operational\r\n selection:\r\n ScriptBlockText|contains:\r\n - '[WinApi]::VirtualProtect($funcAddr, [uint32]$patch.Length, 0x40, [ref] $out)\r\n - '$wc = New-Object System.Net.WebClient; $wc.Proxy = [System.Net.GlobalProxySe\r\n - '$string = xor \"$rawData\" \"decrypt\" \"'\r\n - 'if($metInfo.GetParameters().Length -eq 0) # If Assembly - VB, update params'\r\n - '-UseBasicParsing -UserAgent \"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;\r\n - '$amsiDll = [WinApi]::LoadLibrary(\"ams\"+\"i.dll\")'\r\n - '$funcAddr = [WinApi]::GetProcAddress($amsiDll, \"Ams\"+\"iScanB\"+\"uffer\")'\r\n condition: ps_script and selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: high\r\nruletype: Sigma\r\nMalware related MITRE ATT\u0026CK Techniques\r\nID Technique Usage\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nThe malware enumerates the network\r\nconfiguration of infected hosts.\r\nT1018 Remote System Discovery\r\nThe malware queries LDAP to discover\r\nadditional systems.\r\nT1021.002\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nThe malware uses an PsExec -implementation to\r\nsupport lateral movement.\r\nT1046 Network Service Discovery\r\nThe malware implements port-scanning-capabilities and contains descriptions for\r\nmultiple ports.\r\nT1056.001 Input Capture: Keylogging The malware offers keylogging functionality\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nThe malware can create filetrees on infected\r\nsystems. It also contains an extensivedictionary\r\nof strings to classify found files (e.g. network\r\narchitecture, finance, passwords).\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 7 of 10\n\nT1090.001 Proxy: Internal Proxy\r\nThe malware has dedicated port-relaying\r\ncapabilities\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nThe malware supports C2-communication via\r\nICMP.\r\nT1110.001\r\nBrute Force: Password\r\nGuessing\r\nThe malware has an integrated function that\r\nsupports bruteforcing credentials for smb-access.\r\nT1113 Screen Capture The malware can capture screenshots.\r\nT1134.001\r\nAccess Token\r\nManipulation: Token\r\nImpersonation/Theft\r\nThe malware supports token impersonation.\r\nT1134.002\r\nAccess Token\r\nManipulation: Create\r\nProcess with Token\r\nThe malware offers the ability to launch\r\nprocesses in different contexts.\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nThe malware patches the in-memory amsi.dll\r\nbefore executiong PowerShell-Commands\r\nT1567\r\nExfiltration Over Web\r\nService\r\nThe malware allows data exfiltration via https.\r\nT1567.002\r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nThe malware allows direct file exfiltration to\r\nMega.io.\r\nT1620 Reflective Code Loading\r\nThe malware allows to execute Code from URLs,\r\nremote and local files directly in memory.\r\nTTP related to CSHARP-Streamer Malware\r\nThreat Actor (TA) related MITRE ATT\u0026CK Techniques\r\nID Technique Usage\r\nT1018 Remote System Discovery\r\nThe TA queries the AD-Environment for\r\ncomputers via a Powershell-Script using\r\n„ adsisearcher „[1].\r\nT1021.002\r\nRemote Service\r\n(SMB/Windows Admin\r\nShares)\r\nThe TA uses „ PSExec “[2] to execute commands\r\non remote systems via a Powershell-Script.\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 8 of 10\n\nT1033\r\nSystem Owner / User\r\nDiscovery\r\nThe TA queries the AD-Environment and uses\r\nLDAP for User-Discovery via a Powershell-Script using „ adsisearcher “.\r\nT1046 Network Service Discovery\r\nThe TA queries the AD-Environment for SPNs\r\nvia a Powershell-Script.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nThe TA queries the AD-Environment for the\r\noperating system and system version via a\r\nPowershell-Script.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nThe TA lists files in multiple directories and\r\nsearches actively for KeePass-Configuration-Files.\r\nT1087.001 Account Discovery (Local)\r\nThe TA uses „ net user “ to enumerate local\r\nusers on each computer via a Powershell-Script.\r\nT1087.002\r\nAccount Discovery\r\n(Domain)\r\nThe TA uses „ net user “ and „ adsisearcher “\r\nto enumerate domain users on each computer via\r\na Powershell-Script.\r\nT1087.003 Account Discovery (Mail)\r\nThe TA uses „adsisearcher“ to enumerate mail\r\nusers on each computer via a Powershell-Script.\r\nT1217\r\nBrowser Information\r\nDiscovery\r\nThe TA uses NirSoft’s „Browser History\r\nView“[3] to view the History of Internet\r\nExplorer, Firefox, Chrome and Safari via a\r\nPowershell-Script.\r\nT1482 Domain Trust Discovery\r\nThe TA queries the AD-Environment for all trust-relationships via a Powershell-Script.\r\nT1485 Data Destruction\r\nThe TA uses „format“ to format secondary\r\npartitions via „ PSExec “.\r\nT1486 Data Encrypt for Impact\r\nThe TA encrypts virtual machines on the\r\nhypervisor-level. Local files are encrypted\r\nthrough the use of ransomware deployed via\r\n„ PSExec “.\r\nT1497.001\r\nVirtualization/Sandbox\r\nEvasion (Systemchecks)\r\nThe TA checks the host environment via the bios\r\nserialnumber and manufacturer of the computer\r\nvia a Powershell-Script.\r\nT1518 Software Discovery The TA lists all .lnk files in the Windows\\Start\r\nMenu Folder and analyzes the Windows\\Prefetch\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 9 of 10\n\nFolder for executed and installed Applications via\r\na Powershell-Script.\r\nT1558.003\r\nSteal or Forge Kerberos-Tickets (Kerberoasting)\r\nThe TA uses „PowerView“[4] from the\r\n„PowerSploit“-Framework to aquire Tickets and\r\nconverts them for later usage via a Powershell-Script.\r\nT1569.002\r\nSystem Services (Service\r\nExecution)\r\nThe TA uses „ PSExec “ to execute commands on\r\nremote systems via a Powershell-Script.\r\nT1614 System Location Discovery\r\nThe TA queries the AD-Environment for\r\ndepartment and physical delivery location of\r\ncomputers via a Powershell-Script.\r\nT1619\r\nCloud Storage Object\r\nDiscovery\r\nThe TA lists all Files in the main folderpath of\r\n„OneDrive“ and „Dropbox“ and their first\r\nsubdirectory-level via a Powershell-Script.\r\nTTP related to MetaEncryptor threat actor using CSHARP-Streamer\r\nSource: https://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nhttps://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.hisolutions.com/2024/06/how-to-detect-the-modular-rat-csharp-streamer/" ], "report_names": [ "how-to-detect-the-modular-rat-csharp-streamer" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441532, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/298101821b6b52ac6c12254de806b87efa15f260.pdf", "text": "https://archive.orkl.eu/298101821b6b52ac6c12254de806b87efa15f260.txt", "img": "https://archive.orkl.eu/298101821b6b52ac6c12254de806b87efa15f260.jpg" } }