Think you have a false positive on this rule?

Sid 1-46970

Message

MALWARE-CNC Win.Trojan.Autophyte RAT variant outbound connection

Summary

This event is generated when an infected internal machine accesses Autophyte's Command and Control servers outside the network.

Impact

Trojan Activity.

Detailed information

Autophyte is a remote administration tool believed to be built and run by the Lazarus Group. It is used to collect victim data and potentially drop additional malware.

Affected systems

  • Windows 7, 8, 10

Ease of attack

False positives

None known.

False negatives

None known.

Corrective action

Please follow corporate mitigation procedures.

Contributors

  • Yaser Mansour

Additional References

  • www.virustotal.com/#/file/c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8/detection
  • www.virustotal.com/#/file/e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292/detection