3PARA RAT

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [1]

ID: S0066
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

3PARA RAT uses HTTP for command and control.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails[1]

Enterprise T1083 File and Directory Discovery

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[1]

Enterprise T1070 .006 Indicator Removal on Host: Timestomp

3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.[1]

Groups That Use This Software

ID Name References
G0024 Putter Panda

[1]

References