{
	"id": "2a7887d9-6684-4496-a191-12a62b497b63",
	"created_at": "2026-04-06T01:28:50.104882Z",
	"updated_at": "2026-04-10T13:12:25.932978Z",
	"deleted_at": null,
	"sha1_hash": "4c643410718f6765b1a80f105ab470040e864707",
	"title": "An Exhaustively-Analyzed IDB for ComRAT v4 — Möbius Strip Reverse Engineering",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48448,
	"plain_text": "An Exhaustively-Analyzed IDB for ComRAT v4 — Möbius Strip\r\nReverse Engineering\r\nBy Rolf Rolles\r\nPublished: 2020-09-01 · Archived: 2026-04-06 00:09:29 UTC\r\nThis blog entry announces the release of an exhaustive analysis of ComRAT v4. You can find the IDBs here.\r\nMore specifically, an IDB for the sample with hash 0139818441431C72A1935E7F740A1CC458A63452, which\r\nwas mentioned in the ESET report (see especially its attached PDF), and which is available online on Hybrid\r\nAnalysis. All of the analysis has been performed in Hex-Rays 64-bit, so the results will be less interesting to IDA\r\nusers who do not own Hex-Rays 64-bit. That is to say, if you open the IDB, you should definitely use Hex-Rays to\r\nview the function decompilations, as that is where all of the naming and commenting has taken place. It is rich\r\nwith detail, in comparison to the disassembly listing's barrenness.\r\nThis analysis took roughly six weeks of full-time work. I have spent the pandemic working on a new training class\r\non C++ reverse engineering; part of the preparation includes large-scale analysis of C++ programs. As such,\r\nESET's report of ComRAT's use of C++ caught my eye. ComRAT has a beautiful architecture, and many\r\nsophisticated components, all of which I believe deserve a detailed report unto themselves. I had begun writing\r\nsuch a report, but decided that it was side-tracking me from my ultimate goals with my new training class. Hence,\r\nI had decided to wait until the class was ready, and release a collection of reports on the software architectures of\r\nC++ malware families (perhaps as a book) after I was done. Thus, my write-up on ComRAT's architecture will\r\nhave to wait. You can consider this release, instead, as a supplement to the ESET report.\r\n(Note that if you are interested in the forthcoming C++ training class, it probably will not be available for roughly\r\nanother year. More generally, remote public classes (where individual students can sign up) are temporarily\r\nsuspended; remote private classes (multiple students on behalf of the same organization) are currently available. If\r\nyou would like to be notified when public classes become available, or when the C++ course is ready, please sign\r\nup on our no-spam, very low-volume, course notification mailing list. (Click the button that says \"Provide your\r\nemail to be notified of public course availability\".) )\r\n(Note also that I have more analyses like this waiting to be released. FlawedGrace and XAgent are ready; Kelihos\r\nis in progress. If you can provide me with a bundle of Careto SGH samples, preferably Windows 64-bit, please get\r\nin touch.)\r\nAbout the Analysis\r\nThis analysis was conducted purely statically, without access to RTTI, or any other form of debug information.\r\nThe only external information I had was the ESET report. I have reverse engineered every function in the binary\r\nthat is not part of the C++ standard library, and some of those that are. To get an idea of what the sample looks like\r\nbefore and after analysis, here's a screenshot of the binary freshly loaded into IDA on the left, versus the analyzed\r\none on the right. See if you can spot the difference:\r\nhttps://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4\r\nPage 1 of 3\n\nAlthough I believe that the IDB could probably be loaded in versions of IDA prior to 7.5, I nevertheless\r\nrecommend using IDA 7.5 to view it. The reason for that is because I have made extensive use of 7.5's new\r\n\"folders\" feature to organize the functions and local types windows, which I found massively useful for large-scale\r\nreverse engineering. Those two windows have a nearly identical organization; if you were to dock the windows\r\nside-by-side, you would see something like this:\r\nAs a result of this analysis, I wrote many Hex-Rays plugins, and devised a number of techniques in C++ reverse\r\nengineering that were new to me. Eventually, I will publish on topics such as the following:\r\nA Hex-Rays plugin for navigating virtual function cross-references\r\nReverse engineering STL containers, the easy way\r\nA Hex-Rays plugin for virtual inheritance\r\nTips for reverse engineering multiple inheritance\r\nAutomated creation of VTable structure types\r\nAutomation for detecting inlined functions, and the addition of stock comments\r\nComRAT uses a lot of C++ features; a mostly complete list follows. If you're interested in learning how to reverse\r\nengineer C++ programs, you might do well to study how I analyzed the parts of the binary that interact with them.\r\nInheritance\r\nPolymorphism (virtual functions)\r\nCustom templates\r\nMultiple and virtual inheritance (due to iostreams)\r\nSTL, listed in descending order of usage frequency:\r\nshared_ptr\u003cT\u003e\r\nvector\u003cT\u003e\r\nstring\r\nwstring\r\nlocale\r\nunique_ptr\u003cT\u003e\r\nwstringstream\r\nstringstream\r\nhttps://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4\r\nPage 2 of 3\n\nfstream\r\nlist\u003cT\u003e\r\nmap\u003cK,V\u003e\r\nregex\r\nwstring_convert\r\nrandom\r\nNotes on the Sample\r\n1. Although the use of Gmail as a covert channel was a major aspect of the ESET report, I could not get my\r\nhands on any samples that had that feature. However, this sample does contain some of the Gmail\r\ncommunication code -- the Gumbo library is compiled into it, and the configuration in the virtual file\r\nsystem contains a \"mail\" subdirectory, with similar entries to those in the ESET report. Perhaps that feature\r\nwas still in development, or was deliberately not compiled into my sample for whatever reason.\r\n2. One striking feature of the ESET report was that their sample had RTTI information compiled into it,\r\nwhich provided the names of many of the classes used within ComRAT. I.e., section 4.3 of the ESET report\r\nmentions specific class names, as created by the ComRAT programmers. However, my sample had no such\r\nRTTI information. Therefore, all of my analysis had to be done from scratch. I used the few names\r\nprovided in the report as a guide when creating my own.\r\n3. To the extent I was able to verify their claims, everything in the ESET report is accurate. There are a few\r\nminor technical details in my sample that were different, but are barely worth mentioning, and might have\r\nlegitimately changed between the creation of my sample and the non-public one they analyzed.\r\nSource: https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4\r\nhttps://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4"
	],
	"report_names": [
		"an-exhaustively-analyzed-idb-for-comrat-v4"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438930,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c643410718f6765b1a80f105ab470040e864707.pdf",
		"text": "https://archive.orkl.eu/4c643410718f6765b1a80f105ab470040e864707.txt",
		"img": "https://archive.orkl.eu/4c643410718f6765b1a80f105ab470040e864707.jpg"
	}
}