Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT

Hunt Hypothesis

The hypothesis is that an adversary is using a custom DLL to load and deobfuscate a DAT file containing shellcode as part of a REDLEAVES RAT deployment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential Red Team activity and prevent the execution of malicious payloads.

YARA Rule

rule REDLEAVES_DroppedFile_ImplantLoader_Starburn {
meta:
        description = "Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT"
        author = "USG"
        true_positive = "7f8a867a8302fe58039a6db254d335ae" // StarBurn.dll
        reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
strings:
        $XOR_Loop = {32 0c 3a 83 c2 02 88 0e 83 fa 08 [4-14] 32 0c 3a 83 c2 02 88 0e 83 fa 10} // Deobfuscation loop
condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://www.us-cert.gov/ncas/alerts/TA17-117A
• Source Rule

False Positive Guidance

• Scenario: A legitimate system update or patching tool (e.g., Microsoft Update or Windows Server Update Services) loads a DLL that temporarily processes a .dat file as part of its update validation process.
  Filter/Exclusion: Exclude processes associated with known update services (e.g., wuauserv, svchost.exe with wuauserv as the parent) or use a filter based on the file path containing WindowsUpdate or Update.

• Scenario: A scheduled backup job (e.g., using Veeam or Acronis) temporarily generates a .dat file during the backup process, which is then deobfuscated by a legitimate utility (e.g., 7-Zip or WinRAR) as part of archive processing.
  Filter/Exclusion: Exclude processes associated with backup tools (e.g., veeambackup.exe, acronisbackup.exe) or filter by file paths containing backup, archive, or temp.

• Scenario: A system administrator manually runs a script (e.g., PowerShell or Python) to test or debug a custom application that uses a .dat file for configuration or data storage, and the script uses a DLL to process the file.
  Filter/Exclusion: Exclude processes launched by the administrator (e.g., powershell.exe or python.exe) with a known command-line argument or user context (e.g., NT AUTHORITY\SYSTEM).

• Scenario: A legitimate enterprise application (e.g., Adobe Acrobat or Microsoft Office) uses a third-party DLL to load and process a .dat file as part of its normal operation, such as handling encrypted or obfuscated data.
  Filter/Exclusion: Exclude processes associated with known enterprise applications (e.g., AcroRd32.exe, WINWORD.EXE) or filter based on the file