3PARA RAT

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [1]

ID: S0066
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1024Custom Cryptographic Protocol3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS instead if the DES decoding fails.[1]
EnterpriseT1083File and Directory Discovery3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[1]
EnterpriseT1108Redundant Access3PARA RAT will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim.[1]
EnterpriseT1071Standard Application Layer Protocol3PARA RAT uses HTTP for command and control.[1]
EnterpriseT1032Standard Cryptographic Protocol3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS.[1]
EnterpriseT1099Timestomp3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.[1]

Groups

Groups that use this software:

Putter Panda

References