3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [1]

ID: S0066
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS instead if the DES decoding fails.[1]
Enterprise T1083 File and Directory Discovery 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[1]
Enterprise T1108 Redundant Access 3PARA RAT will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim.[1]
Enterprise T1071 Standard Application Layer Protocol 3PARA RAT uses HTTP for command and control.[1]
Enterprise T1032 Standard Cryptographic Protocol 3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS.[1]
Enterprise T1099 Timestomp 3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.[1]


Groups that use this software:

Putter Panda