Think you have a false positive on this rule?

Sid 1-51533


MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection


This event is generated when C2 traffic produced by BlackRAT is detected


A Network Trojan was detected

Detailed information

BlackRAT is a trojan that maintains contact with its C2 server by creating a sentinel file on the victim machine. It creates persistence by copying itself to multiple locations and can exfiltrate data to the C2 from the victim machine.

Affected systems

  • Windows 7-10

Ease of attack

False positives

None known.

False negatives

None known.

Corrective action

Please follow corporate malware remediation procedures. Enable the new rules to prevent future C2 call-outs.


  • Cisco Talos Intelligence Group

Additional References