Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Ransomware-AffiliateExfilTooling.

Upgrade to Pro
THREAT-Ransomware-AffiliateExfilTooling IBM QRadar · QRadar

Detect Ransomware-Affiliate Custom Exfiltration Tooling (StealBit & Exmatter) in IBM QRadar

Ransomware affiliates increasingly deploy purpose-built exfiltration utilities instead of general-purpose tools like rclone, separating the data-theft channel from the encryption payload's C2 infrastructure. StealBit, distributed by LockBit affiliates, is a standalone binary (originally HTTP/HTTPS-based, later versions moved to a raw multi-threaded TCP protocol) that is dropped with a randomized hex/GUID filename into ProgramData, AppData\Local\Temp, or Users\Public, then run with no command-line arguments. It enumerates local and mapped drives, filters for high-value file types (databases, documents, spreadsheets, credential stores), and spawns dozens of concurrent upload threads to a single hardcoded external host to maximize throughput before the encryptor executes. Exmatter, used by BlackMatter/Noberus, BlackCat/ALPHV, and BlackByte affiliates, is a .NET utility that prioritizes specific extensions (.sql, .mdf, .bak, .pdf, .doc/x, .xls/x, .rdp, .kdbx) and exfiltrates over SFTP, FTPS, or WebDAV to attacker-controlled infrastructure using credentials embedded in its configuration; several observed samples overwrite or truncate a subset of already-uploaded source files with random data immediately after a successful transfer, an anti-recovery and extra-leverage behavior distinct from the ransomware's own encryption routine. Both tools are typically staged and executed in the hours immediately preceding encryption, making the exfiltration phase a high-value, narrow detection window before impact.

MITRE ATT&CK

Tactic
Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT
    DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
    hostname AS Hostname,
    username AS User,
    "Process Name" AS ProcessName,
    "Command Line" AS CommandLine,
    destinationip AS DestinationIP,
    destinationport AS DestinationPort,
    LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
    'SuspiciousLoaderOrFanout' AS ThreatType
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (
        "Process Name" MATCHES '.*\\\\(ProgramData|AppData\\\\Local\\\\Temp|Users\\\\Public)\\\\.*'
        AND (
            "Process Name" MATCHES '.*[0-9a-fA-F]{8}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{12}\.exe$'
            OR "Process Name" MATCHES '.*[0-9a-fA-F]{16,32}\.exe$'
        )
        AND ("Command Line" IS NULL OR "Command Line" = '')
    )
    OR (
        destinationport IN (443, 21, 990, 22)
        AND qidname(qid) = 'Firewall Permit'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting StealBit/Exmatter-style ransomware-affiliate exfiltration tooling. Identifies argument-less, randomly-named executables launched from ProgramData, AppData\Local\Temp, or Users\Public via WinCollect-sourced Sysmon/Security events, and correlates against permitted outbound connections on FTPS/SFTP/HTTPS ports recorded by firewall log sources. Requires the 'Process Name' and 'Command Line' custom event properties to be extracted from the Windows/Sysmon DSM.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log (via WinCollect)Sysmon Events (via WinCollect or Universal DSM)Firewall permit logs

Required Tables

events

False Positives & Tuning

  • Software installers dropping randomly-named temp executables in AppData\Local\Temp with no command-line arguments — suppress by whitelisting signed installer hashes in a QRadar reference set
  • Backup/replication jobs generating regular firewall-permitted outbound connections on 443/21/990/22 to known offsite targets — populate a reference set of authorized destination IPs and exclude matching destinationip values

Other platforms for THREAT-Ransomware-AffiliateExfilTooling


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate StealBit-Style Multi-Threaded Exfil Fan-Out

    Expected signal: Sysmon Event ID 1 for a randomly-named executable created in ProgramData; Sysmon Event ID 3 showing 20+ outbound connections to the test endpoint on port 443 within a short window.

  2. Test 2Simulate Exmatter-Style Staging and Post-Upload File Corruption

    Expected signal: Sysmon Event ID 11 for 60 file creations matching the .pdf extension within a short window; Sysmon Event ID 3 for the outbound SFTP connection on port 22; a second Event ID 11/2 for the modification of staged_1.pdf within minutes of the SFTP connection.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Ransomware-AffiliateExfilTooling — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections