Convert Figma logo to code with AI

kevthehermit logoRATDecoders

Python Decoders for Common Remote Access Trojans

1,066
308
1,066
25
View on GitHub

Top Related Projects

eset's avatar

malware-ioc

1,602

Indicators of Compromises (IOC) of our various investigations

Neo23x0's avatar

signature-base

2,433

YARA signature and IOC database for my scanners and tools

mandiant's avatar

flare-floss

3,160

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Quick Overview

RATDecoders is a collection of Python scripts designed to extract configuration information from various Remote Access Trojans (RATs). It provides a set of decoders for different RAT families, helping security researchers and analysts to quickly analyze and understand the configuration of malware samples.

Pros

  • Supports a wide range of RAT families, making it a versatile tool for malware analysis
  • Open-source project, allowing for community contributions and improvements
  • Regularly updated to include new RAT families and improve existing decoders
  • Provides a standardized output format for easy integration with other tools

Cons

  • Some decoders may become outdated as RAT authors update their malware
  • Limited documentation for individual decoders, which may make it challenging for new users
  • Requires Python knowledge to use effectively and extend functionality
  • May not cover all variants or custom versions of RATs

Code Examples

  1. Decoding a RAT sample:
from decoders import njrat
config = njrat.config("path/to/sample.exe")
print(config)
  1. Using the generic decoder:
from decoders import generic
config = generic.config("path/to/unknown_rat.exe")
print(config)
  1. Extracting configuration from a DarkComet sample:
from decoders import darkcomet
config = darkcomet.config("path/to/darkcomet_sample.exe")
print(config)

Getting Started

  1. Clone the repository:

    git clone https://github.com/kevthehermit/RATDecoders.git

  2. Install dependencies:

    pip install -r requirements.txt

  3. Use a decoder:

    from decoders import njrat
config = njrat.config("path/to/sample.exe")
print(config)

Competitor Comparisons

eset logo

malware-ioc

1,602

Indicators of Compromises (IOC) of our various investigations

Pros of malware-ioc

  • Broader scope, covering various malware families and threat actors
  • Regular updates with new IoCs and threat intelligence
  • Includes YARA rules for malware detection

Cons of malware-ioc

  • Less focused on specific RAT decoders
  • May require more processing to extract relevant information
  • Larger repository size, potentially slower to clone and navigate

Code Comparison

RATDecoders:

def run(data):
    rat = CrypterRat()
    conf = rat.config(data)
    return conf

malware-ioc:

rule APT29_NOBELIUM_EnvyScout_Loader {
    meta:
        description = "Detects EnvyScout loader used by NOBELIUM"
    strings:
        $s1 = "EnvyScout" ascii wide
    condition:
        uint16(0) == 0x5A4D and $s1
}

The code snippets demonstrate the different focus of each repository. RATDecoders provides Python scripts for decoding specific RAT configurations, while malware-ioc offers YARA rules for detecting various malware families and threat actors.

Neo23x0 logo

signature-base

2,433

YARA signature and IOC database for my scanners and tools

Pros of signature-base

  • Broader scope, covering various malware types and threat detection signatures
  • More actively maintained with frequent updates
  • Larger community and contributor base

Cons of signature-base

  • More complex structure, potentially harder to navigate for specific RAT decoders
  • May require more setup and integration for focused RAT decoding tasks
  • Larger repository size, which could be overkill for simple RAT decoding needs

Code Comparison

signature-base (YARA rule example):

rule SUSP_LNK_SmallFile_with_PowerShell_Feb23 {
   meta:
      description = "Detects suspicious small LNK file with PowerShell command"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2023-02-24"
   strings:
      $s1 = "powershell" nocase wide ascii
   condition:
      uint16(0) == 0x004c and filesize < 1KB and $s1
}

RATDecoders (Python decoder example):

def run(data):
    raw_config = get_config(data)
    # Parse config
    config = {}
    config['Domain'] = raw_config[0]
    config['Port'] = raw_config[1]
    config['Campaign Name'] = raw_config[2]
    return config

The code comparison shows that signature-base focuses on detection rules (YARA), while RATDecoders provides specific decoding functions for RATs. signature-base offers a more versatile approach to threat detection, whereas RATDecoders is specialized for RAT configuration extraction.

mandiant logo

flare-floss

3,160

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Pros of flare-floss

  • More comprehensive functionality, including string extraction, stack strings, and obfuscated strings
  • Actively maintained with regular updates and contributions
  • Extensive documentation and usage examples

Cons of flare-floss

  • Steeper learning curve due to more complex features
  • Requires more system resources for analysis
  • May be overkill for simpler malware analysis tasks

Code comparison

RATDecoders:

def run(data):
    raw_config = {}
    # ... (specific decoding logic)
    return raw_config

flare-floss:

def extract_strings(vw, function_address):
    strings = []
    # ... (complex string extraction logic)
    return strings

RATDecoders focuses on specific malware family decoding, while flare-floss provides a more general-purpose string extraction and analysis tool. RATDecoders is simpler to use for targeted analysis, but flare-floss offers more advanced capabilities for a wider range of malware analysis tasks.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

RATDecoders

Malconf is a python3 library that can be used to staticly analyse specific malware families and extract the Configuration data that can be used by Incident Responders during an incident.

As a library it can also be installed in to automated malware analysis pipelines.

Coverage

Build Status

Installation

Requirements

There are some pre-reqs that are included in the pip setup and the requirements.txt

  • pefile
  • pbkdf2
  • javaobj-py3
  • pycrypto
  • androguard

For all the decoders you will need yara and yara-python. For dealing with .NET malware you will need to install yara-python with dotnet support

yara-python with dotnet support
git clone --recursive https://github.com/VirusTotal/yara-python
python3 setup.py build --enable-magic --enable-dotnet
sudo python3 setup.py install

Install from pip

pip3 install --upgrade malwareconfig

Install from repo

git clone git@github.com:kevthehermit/RATDecoders.git
cd RATDecoders
pip3 install -r requirements.txt
python3 setup.py install

Current Rats

Here is a list of the currently supported RATS:

  • LostDoor
  • Xtreme
  • AAR
  • AdWind
  • Adzok
  • AlienSpy
  • Alina
  • Arcom
  • BlackNix
  • BlackShades
  • BlueBanana
  • Bozok
  • ClientMesh
  • CyberGate
  • DarkComet
  • DarkRAT
  • HawkEye
  • Hrat / hworm / WSH
  • Jbifrost
  • JRat
  • LuminosityLink
  • LuxNet
  • NanoCore
  • NetWire
  • njRat
  • Plasma
  • Remcos
  • Saefko
  • Sakula
  • SpyNote / Mobihook

Upcoming RATS

  • Still migrating old ones!

Usage

Using the supplied command line tool malconf you can pass in a single file or a directory with the -r flag and it will attempt to automagically detect the family and extract any config.

You can also use the -o option to write results out to a file.

malconf

malconf -l This will list all the supported rats

malconf /path/to/sample This will automagically detect the family and run the decoder

⇒  malconf tests/samples/alienspy 

 __  __       _  ____             __ 
|  \/  | __ _| |/ ___|___  _ __  / _|
| |\/| |/ _` | | |   / _ \| '_ \| |_ 
| |  | | (_| | | |__| (_) | | | |  _|
|_|  |_|\__,_|_|\____\___/|_| |_|_| 

Malware Configuration Parser by @kevthehermit

[+] Loading File: tests/samples/alienspy
  [-] Found: AlienSpy
  [-] Running Decoder
  [-] Config Output

{'ConfigKey': 'fzGUoTaQH3SUW7E82IKQK2J2J2IISIS',
 'NAME': 'ok',
 'Version': 'B',
 'connetion_time': '0',
 'desktop': 'true',
 'dns': '213.208.129.211',
 'extensionname': 'qQJ',
 'folder': 'java',
 'instalar': 'true',

Library

If you pip install you can also use it is a library.

from malwareconfig import fileparser
from malwareconfig.modules import __decoders__, __preprocessors__

# Open and parse the file
sample_path = '/path/to/sample.exe'
file_info = fileparser.FileParser(file_path=sample_path)

# Check for a valid decoder and then parse
if file_info.malware_name in __decoders__:
    module = __decoders__[file_info.malware_name]['obj']()
    module.set_file(file_info)
    module.get_config()
    conf = module.config
    pprint(conf)

Thanks

Full credit where credit is due.

Malware.lu for the initial xtreme Rat Writeup - https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweets :-) ) - http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html

Shawn Denbow and Jesse Herts for their paper here - http://www.matasano.com/research/PEST-CONTROL.pdf Saved me a lot of time