{
	"id": "ad77bcb6-c70e-4b64-964e-834c43bc3d62",
	"created_at": "2026-04-06T00:08:20.221726Z",
	"updated_at": "2026-04-10T03:21:20.592267Z",
	"deleted_at": null,
	"sha1_hash": "527cf70b72f0d60539d28a3c5efd65d6f53ced73",
	"title": "InnfiRAT is aiming for cryptocurrency | Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6099502,
	"plain_text": "InnfiRAT is aiming for cryptocurrency | Blog\r\nBy Sahil Antil, Rohit Chaturvedi\r\nPublished: 2019-09-12 · Archived: 2026-04-05 20:29:54 UTC\r\nRecently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to\r\nperform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it\r\ncommunicates, all the tasks it performs, and the information it steals.\r\n \r\nBackground\r\nAs with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user's\r\ncomputer. Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and\r\nLitecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition,\r\nthis RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading\r\nemail, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus\r\nprogram.  \r\nInnfiRAT sends the data it has collected to its command-and-control (C\u0026C) server and requests further instructions. The\r\nC\u0026C can also instruct the malware to download additional payloads onto the infected system.\r\n \r\nTechnical analysis\r\n1) Before executing the main payload, the malware initially checks whether the file is executing from %AppData% directory\r\nor not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47\" (possibly to check\r\nnetwork connectivity).\r\n2) It records all the running processes in an array, then iterates through each process and checks whether any process is\r\nrunning with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit.\r\n \r\nFigure 1: Checks execution location, terminates process with name NvidiaDriver         \r\n3) InnfiRAT copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current\r\nprocess.\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 1 of 17\n\nFigure 2: The malware makes a copy of itself in %AppData% \r\n \r\n4) After confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its\r\nactual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the\r\nactual functionality of the malware.\r\n \r\nFigure 3: Embedded PE file in encoded form\r\n \r\nFigure 4: Embedded PE file is decoded and executed\r\nAnalysis of embedded .NET executable\r\nAll the strings inside the file are encoded with a custom encoding scheme that utilizes the XOR operation.\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 2 of 17\n\nFigure 5: Strings decoding logic\r\nAs the execution of the malware starts, it checks for the presence of VM environment. It does so by checking the return\r\nvalue from the routine JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337. If the return value is equal to\r\nthe first value, enum[0], defined in the enum shown below, then it continues the execution or else it terminates.\r\n \r\nFigure 6: User-defined enum structure\r\nAfter performing the VM checks, the malware obtains the country and HWID information of the machine it is running on.\r\nTo obtain the country information, it calls the routine EjarVhXфf8752612307563884480() [FetchNetworkInfo] and fetches\r\nthe Country key value from the returned data in JSON format. Similarly, to obtain the HWID, it calls\r\nthe routine ubобмдGogBлzWKrgrыaZucвлC33208440168().\r\nAnti-VM checks\r\nInside the JкыnеюwPреюLLщzьhdкXoJxбюHхрйFWрDлнруG7574208083337() [VMDetection] routine:\r\nNote: All the enum values are referenced using enum[index] during analysis where the index starts from 0.\r\n1. Performs WMIquery to obtain the following information:\r\n\"Manufacturer\"\r\n\"Caption\"\r\n\"Name\"\r\n\"ProcessorId\"\r\n\"NumberOfCores\"\r\n\"NumberOfLogicalProcessors\"\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 3 of 17\n\n\"L2CacheSize\"\r\n\"L3CacheSize\"\r\n\"SocketDesignation\"\r\nIt then checks, one-by-one, if the manufacturer contains one of the below-mentioned strings and returns the value from\r\nthe enum as specified:\r\n“VBoxVBoxVBox”                   returns enum[2]\r\n“VMwareVMware”                  returns enum[1]\r\n“Prl hyperv                               returns enum[3]\r\n“Microsoft Corporation”        returns enum[4]\r\n2. WMIquery is performed again but this time to obtain the following information:\r\n\"DeviceID\"\r\n\"MediaType\"\r\n\"Model\"\r\n\"PNPDeviceID\"\r\n\"SerialNumber\"\r\nA check is performed if the PnpDeviceId contains one of the below strings and returns the value from the enum as specified:\r\n“VBOX_HARDDISK”             returns enum[2]\r\n“VEN_VMWARE”                  returns enum[1]\r\nIf none of the above conditions match, it returns enum[0].\r\nMachine network information\r\nInside the EjarVhXфf8752612307563884480() [FetchNetworkInfo] routine:\r\nA web request is sent to the following URL https://ipinfo[.]io/json and the received data is returned from the function. The\r\nreceived data contains the following information:\r\n  \"ip\"\r\n  \"city\"\r\n  \"region\"\r\n  \"country\"\r\n  \"loc\"\r\n  \"postal\"\r\n  \"org\"\r\n \r\nFigure 7: Web request being made\r\nNetwork communication\r\n \r\nInside the мMлFкCцеGPбiбqюK1559516831() [CreateDuplexChannel] routine:\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 4 of 17\n\nInnfiRAT sets up a duplex channel with the name “IVictim”\r\nusing DuplexChannelFactory tcp://62[.]210[.]142[.]219:17231/IVictim\r\n \r\nFigure 8: Creating a duplex channel with C\u0026C server\r\nAfter forming the duplex channel with the name IVictim, it uses the IVictim interface, which contains the\r\nfollowing methods:\r\n“Subscribe”\r\n“CompleteTask”\r\n“GetDlls”\r\n“AvailableTasks”\r\n \r\nFigure 9: Available methods in the IVictim interface\r\nInside the SуkdVkцiшkUояUuчPуюяmмuty187968776() [SubscribeVictim] routine:\r\nInnfiRAT calls the subscriber method from the IVictim interface with login = “innfiniti”\r\n \r\nFigure 10: The subscribe method from the IVictim interface is invoked\r\nInside the хaxeYхсиghIжNпDмвQюwkуpкgимuбсфbnдбMвMC67210633684721828() [GetAndExecuteSpecifiedTask]\r\nroutine:\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 5 of 17\n\nInnfiRAT obtains the tasks inside a UserTask list by invoking AvailableTasks where UserTask has the following keys:\r\n“ID”\r\n“Action”\r\n“URL”\r\n“FinalPoint”\r\n“Current” \r\n“Status”\r\n“Country”\r\n“RunSilent”\r\n“Argument”\r\nIt iterates through each task. On each iteration, it first checks for the country value received to be equal to “ALL” OR  the\r\none present in the BasicInfoVictim class, which was obtained earlier AND the action to perform is \"DownAndEx\" and\r\nthe URL value is available.\r\n     If the above conditions match, then the CompleteTasks method is called with three arguments: \r\n“login”\r\n“hwid”\r\n“TaskID”\r\n \r\nThe RAT calls the routine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with\r\nthree arguments to execute the file.\r\nArg1 = Path of the file to be executed [obtained from the URL]\r\nArg2 = Arguments to the file to be executed [obtained from Argument key of current UserTask element]\r\nArg3 = true/false [Obtained from RunSilent key of current UserTask element]\r\nAfter iterating all items in the UserTask list, it sleeps for 30,000 milliseconds.\r\n \r\nFigure 11: Country, action, and URL checks are performed and the specified task is completed\r\nProcess checks\r\nInside the LlсiсkнwychhVзjзNзxрFrUOE4656655235232302206601527615541285() [ProcessCheck] routine:\r\nAll the running processes in the system are obtained, their names are converted to lowercase and then a check is performed\r\nto see if the name matches with any of the following strings: \r\n“taskmgr”\r\n“processhacker”\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 6 of 17\n\n“procmon”\r\n“procexp”\r\n“pchunter”\r\n“procexp64”\r\nIf there are any matches, the process terminates. Below are the snapshots depicting the actions performed.\r\n \r\nFigure 12: Obtaining processes, converting their names to lowercase, checking specific processes\r\nFigure 13: Converting ProcessName to lowercase\r\nFigure 14: Checking for above-mentioned running processes (process names are obfuscated here)\r\nInside wYxйыrоyTHuLдTч212065() [KillProcesses] routine:\r\nInnfiRAT obtains the list of all processes running in the system and kills any process whose name contains one of the\r\nfollowing strings:\r\n“chrome”\r\n“browser”\r\n“firefox”\r\n“opera”\r\n“amigo”\r\n“kometa”\r\n“torch”\r\n“orbitum”\r\n \r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 7 of 17\n\nFigure 15: Kills processes that contain any of the above-mentioned strings\r\nScheduled execution\r\nInside the эйviMhйсuьZCпJфшcкLйшuв348374() [ScheduleMalwareExecution] routine:\r\nThe CMD (cmd.exe) command string is constructed and executed to schedule the malware execution. The command string\r\nlooks like below: \r\n/C schtasks /create /tn WindowsUpdater /tr \"%AppData%NvidiaDriver.exe \" /st HH:mm  /du 9999:59 /sc daily /ri 1\r\n/f\r\n \r\nFigure 16: CMD command is constructed and executed\r\nC\u0026C commands\r\nHere are some tasks performed by the malware based on the commands received from C\u0026C server:\r\n1. SendUrlAndExecute(string URL)\r\nInnfiRAT downloads the file from the specified URL by calling the\r\nroutine жRfаeQbrwйfsLGыhчUrEжьFхaяGчрлCдtGжSofьQvдnIмs8383484343838630833542717281211()\r\n[DownloadFileFromUrl]. Inside this routine, a directory is first created with the name TEMP inside the %AppData% if it\r\ndoesn’t exist. Then the file is downloaded and saved inside this folder with the name extracted from the passed URL. The\r\nURL passed is broken into parts via delimiter ‘/’ and the last item is used as the file name.\r\n \r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 8 of 17\n\nFigure 17: Create folder and download file\r\nOnce the download is complete, it calls the\r\nroutine rLPсаWFоWcTjzпTэBFWkъмзтшпD147152108377454681517643543() [ExecuteFile] with three arguments to\r\nexecute the downloaded file.\r\nArg1 = Path of the file to be executed\r\nArg2 = Arguments to the file to be executed\r\nArg3 = true\r\nFigure 18: Execute the downloaded file\r\n2. ProfileInfo()\r\nInside the routine, it collects the following information:\r\n“NetworkInfo”:{\r\n\"ip\" \r\n\"city\"\r\n\"region\"\r\n\"country\"\r\n\"loc\"\r\n\"postal\"\r\n\"org\"\r\n}\r\n“PCAdmin”\r\n“PCInformation” :{\r\n“FrameWorkDescription”\r\n“Processors”\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 9 of 17\n\n“PRocessorsCore”\r\n“VideoCards”\r\n} \r\nIt then sends the information to the C\u0026C server.\r\nFigure 19: UserProfile info being collected and sent to the C\u0026C server\r\n3. LoadLogs()\r\nIt calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has two keys:\r\n“Path”,                     represents a relative path to an .exe file\r\n“ByteArray”            binary data\r\n \r\nFigure 20: GetDlls being called\r\nAfter fetching the list, InnfiRAT traverses each element inside the list via a for-loop. Inside the for-loop:\r\nThe value of the Path key is split using delimiter “\\\\”. The second value in the split is the name of the directory. A check is\r\nperformed to see if the count after the split is greater than 2 and there is no directory with the name obtained from the Path\r\nkey split inside the executing module directory. If the check is true, a directory with the obtained name is created. \r\nA check is performed if no file exists specified by Path key in the executing module directory. If the check is true, it creates\r\nthe file and writes the value of ByteArray to this created file. \r\nThe routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called.\r\nFinally, data obtained from UserProfile() is sent to the C\u0026C server.\r\n \r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 10 of 17\n\nFigure 21: A directory is created, file is created, and KillProcesses is called; response is sent to the C\u0026C server\r\n4. LoadCookies()  - Steal Browser Cookie information\r\nInnfiRAT calls the GetDlls() routine, which obtains information inside a list of type DownloadDll where DownloadDll has\r\ntwo keys:\r\n“Path”                    represents a relative path to an .exe file\r\n“ByteArray”          binary data\r\n \r\nFigure 22: GetDlls being called\r\nAfter fetching the list, the malware traverses each element inside the list via for-loop. The following occurs inside the for-loop:\r\nThe value of the Path key is split using the delimiter “\\\\”. Second, the value in the split is the name of the directory. A check\r\nis performed if the count after the split is greater than 2 and there is no directory with the name obtained from the Path key\r\nsplit inside the executing module directory. If the check is true, a directory with the obtained name is created. \r\nA check is performed if no file exists specified by the Path key in the executing module directory. If a check is true, it\r\ncreates the file and writes the value of ByteArray to this created file. \r\n \r\nFigure 23: Directory is created, file is created\r\nIt creates an empty list of BrowserCook type where BrowserCook has two keys, namely:\r\n“CookiePaths”\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 11 of 17\n\n“BrowserName”\r\nThe name and corresponding cookie path are retrieved for the following browsers one by one:\r\n“Chrome”\r\n“Yandex”\r\n“Kometa”\r\n“Amigo”\r\n“Torch”\r\n“Orbitum”\r\n“Opera”\r\n“Mozilla”\r\nA BrowserCook type element is created with the fetched information and is added to the list created earlier.\r\n \r\nFigure 24: Browser info is retrieved and added to the list\r\nIt creates an empty list of BrowserCookie type where BrowserCookie has three keys, namely: \r\n“Browser”\r\n“FileName”\r\n“FileArray”\r\nInside, two for-loop elements of the BrowserCookie type are created, where the Browser key and FileArray key are both\r\nassigned values using the information from the previously created BrowserCook list and the FileName is set\r\nto _Cookie.txt if the browser name for the current element is not “Mozilla”, or else it is set to Cookie.txt.\r\n \r\nFigure 25: BrowserCookie elements list is built\r\nThe harvested BrowserCookie list is then sent to the C\u0026C server and the temporary file and directory are deleted.\r\n \r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 12 of 17\n\nFigure 26: File and directory is deleted\r\n5. LoadWallets() - Steal Bitcoin Wallets\r\nThe malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely:\r\n“WalletArray”\r\n“WalletName”\r\nA check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location:\r\nLitecoin: %AppData%\\Litecoin\\wallet.dat\r\nBitcoin: %AppData%\\Bitcoin\\wallet.dat\r\nIf it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and\r\nreading the corresponding wallet file in the WalletArray key.\r\n \r\nFigure 27: File presence is checked, BitcoinWallet element is added to the list\r\nFinally, the created list is sent in response to the C\u0026C server.\r\n \r\nFigure 28: List is sent in response to the C\u0026C server\r\n6. LoadFiles() - Steal small text files potentially containing sensitive information\r\nInnfiRAT collects all the .txt files available on the desktop whose size is less than 2,097,152 bytes inside a list of CustomFile\r\ntypes. CustomFile has two keys namely: \r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 13 of 17\n\n“Name” \r\n “FileArray”\r\nThe created list is sent in response to the C\u0026C server.\r\n \r\nFigure 29: Files are collected and sent to the C\u0026C server\r\nFigure 30: Inside HcапkцтеuxчI46156665847187238336657104255061.лQtdjюAKMCdскHUжfъqZTzmMнуз68532317728035381607276587242500 [CollectFiles]\r\n7. LoadProcesses() - Get the list of running processes on the victim machine\r\nInnfiRAT creates an empty list of type ProcessInfo where ProcessInfo has three keys, namely:\r\n“ID”\r\n“Name” \r\n“Path”\r\nIt obtains the list of all the processes running in the system and sends the list in response to the C\u0026C server. \r\n \r\nFigure 31: Process information is obtained and the list is sent to the C\u0026C server\r\n8. Kill(int process) - Command to Kill a specific process on the victim machine\r\nInnfiRAT obtains the list of all the processes running in the system and then inside a for-loop, the processID of obtained\r\nprocesses is compared with the processID passed as an argument to this routine one at a time. If there is a match, the process\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 14 of 17\n\nis killed and the flag variable is set to true.\r\nFinally, a response is sent to C\u0026C server.\r\n \r\nFigure 32: Process is killed and response is sent\r\n9. Screenshot() - Take a screenshot on the victim machine\r\nIt calls the qюFpьGoJv97921676245() [CaptureScreenshot] routine and the returned value is sent to the C\u0026C server.\r\n \r\nFigure 33: Screenshot captured and sent to the C\u0026C server\r\nFigure 34: Inside the qюFpьGoJv97921676245() [CaptureScreenshot] routine\r\n10. RunCommand(string command) - Execute specified command on the victim machine\r\nThis creates a new CMD process, builds the command line argument using the command passed as an argument to this\r\nroutine, and finally starts the process.\r\nCommand line argument:   /c  +  “ ” + command\r\n \r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 15 of 17\n\nFigure 35: Received command is executed\r\n11. ClearCooks() - Clears browser Cookies on the victim machine for specific Browsers\r\nInnfiRAT creates an empty list of BrowserCook type where BrowserCook has two keys, namely:\r\n“CookiePaths” \r\n“BrowserName”\r\nThe name and corresponding cookie path are retrieved for the following browsers one by one:\r\n“Chrome”\r\n“Yandex”\r\n“Kometa”\r\n“Amigo”\r\n“Torch”\r\n“Orbitum”\r\n“Opera”\r\n“Mozilla”\r\n \r\nA BrowserCook type element is created with the fetched information and is added to the list created earlier.\r\nFigure 36: Browser info is retrieved and added to the list\r\nThe routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called.\r\nThe BrowserCook type list created earlier is traversed and cookies files are deleted using CookiePaths key value.\r\nFinally, a response is sent to the C\u0026C server.\r\n \r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 16 of 17\n\nFigure 37: The routine wYxйыrоyTHuLдTч212065() [KillProcesses] is called, cookie files are deleted, and response is sent to the C\u0026C server\r\nConclusion\r\nA RAT, remote-access trojan, is a type of malware that includes a backdoor, giving intruders the ability to control the\r\ntargeted computer remotely and enabling them to perform any number of tasks, such as logging keystrokes, accessing\r\nconfidential information, activating the system's webcam, taking screenshots, formatting drives, and more. They can also be\r\ndesigned to spread to other systems on a network.\r\nBecause RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that\r\nhas been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or\r\nopening attachments that aren't from a trusted source.\r\nThe ThreatLabZ team continues to monitor this threat and ensure that Zscaler customers are protected.\r\nIOCs\r\nMd5: f992dd6dbe1e065dff73a20e3d7b1eef\r\nDownloading URL:\r\nrgho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peuge\r\nNetworkURL: tcp://62[.]210[.]142[.]219:17231/IVictim\r\nSource: https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nhttps://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more"
	],
	"report_names": [
		"innfirat-new-rat-aiming-your-cryptocurrency-and-more"
	],
	"threat_actors": [],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/527cf70b72f0d60539d28a3c5efd65d6f53ced73.pdf",
		"text": "https://archive.orkl.eu/527cf70b72f0d60539d28a3c5efd65d6f53ced73.txt",
		"img": "https://archive.orkl.eu/527cf70b72f0d60539d28a3c5efd65d6f53ced73.jpg"
	}
}