Register to stream ATT&CKcon 2.0 October 29-30


3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [1]

ID: S0066
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS instead if the DES decoding fails. [1]
Enterprise T1083 File and Directory Discovery 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory. [1]
Enterprise T1108 Redundant Access 3PARA RAT will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim. [1]
Enterprise T1071 Standard Application Layer Protocol 3PARA RAT uses HTTP for command and control. [1]
Enterprise T1032 Standard Cryptographic Protocol 3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. [1]
Enterprise T1099 Timestomp 3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files. [1]

Groups That Use This Software

ID Name References
G0024 Putter Panda [1]