P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

ID: S0626
Associated Software: HEAVYPOT, GreetCake
Platforms: Windows
Version: 1.0
Created: 21 June 2021
Last Modified: 14 October 2021

Associated Software Descriptions

Name Description




Techniques Used

Domain ID Name Use
Enterprise T1001 .001 Data Obfuscation: Junk Data

P8RAT can send randomly-generated data as part of its C2 communication.[1]

Enterprise T1105 Ingress Tool Transfer

P8RAT can download additional payloads to a target system.[1]

Enterprise T1057 Process Discovery

P8RAT can check for specific processes associated with virtual environments.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

P8RAT can check the compromised host for processes associated with VMware or VirtualBox environments.[1]

.003 Virtualization/Sandbox Evasion: Time Based Evasion

P8RAT has the ability to "sleep" for a specified time to evade detection.[1]

Groups That Use This Software

ID Name References
G0045 menuPass