The sub-techniques beta is now live! Read the release blog post for more info.


InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [1]

ID: S0259
Platforms: Windows
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

InnaputRAT launches a shell to execute commands on the victim’s machine.[1]

Enterprise T1106 Execution through API

InnaputRAT uses the API call ShellExecuteW for execution.[1]

Enterprise T1083 File and Directory Discovery

InnaputRAT enumerates directories and obtains file attributes on a system.[1]

Enterprise T1107 File Deletion

InnaputRAT has a command to delete files.[1]

Enterprise T1036 Masquerading

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService.[1]

Enterprise T1050 New Service

Some InnaputRAT variants create a new Windows service to establish persistence.[1]

Enterprise T1027 Obfuscated Files or Information

InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe.[1]

Enterprise T1082 System Information Discovery

InnaputRAT gathers volume drive information and system information.[1]

Enterprise T1065 Uncommonly Used Port

InnaputRAT uses port 52100 and 5876 for C2 communications.[1]