Register to stream ATT&CKcon 2.0 October 29-30


InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [1]

ID: S0259
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface InnaputRAT launches a shell to execute commands on the victim’s machine. [1]
Enterprise T1106 Execution through API InnaputRAT uses the API call ShellExecuteW for execution. [1]
Enterprise T1083 File and Directory Discovery InnaputRAT enumerates directories and obtains file attributes on a system. [1]
Enterprise T1107 File Deletion InnaputRAT has a command to delete files. [1]
Enterprise T1036 Masquerading InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService. [1]
Enterprise T1050 New Service Some InnaputRAT variants create a new Windows service to establish persistence. [1]
Enterprise T1027 Obfuscated Files or Information InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe. [1]
Enterprise T1082 System Information Discovery InnaputRAT gathers volume drive information and system information. [1]
Enterprise T1065 Uncommonly Used Port InnaputRAT uses port 52100 and 5876 for C2 communications. [1]