InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [1]

ID: S0259
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface InnaputRAT launches a shell to execute commands on the victim’s machine.[1]
Enterprise T1106 Execution through API InnaputRAT uses the API call ShellExecuteW for execution.[1]
Enterprise T1083 File and Directory Discovery InnaputRAT enumerates directories and obtains file attributes on a system.[1]
Enterprise T1107 File Deletion InnaputRAT has a command to delete files.[1]
Enterprise T1036 Masquerading InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService.[1]
Enterprise T1050 New Service Some InnaputRAT variants create a new Windows service to establish persistence.[1]
Enterprise T1027 Obfuscated Files or Information InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[1]
Enterprise T1060 Registry Run Keys / Startup Folder Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe.[1]
Enterprise T1082 System Information Discovery InnaputRAT gathers volume drive information and system information.[1]
Enterprise T1065 Uncommonly Used Port InnaputRAT uses port 52100 and 5876 for C2 communications.[1]