{
	"id": "33c20d7d-128b-49b3-bae9-3d94faa9088d",
	"created_at": "2026-04-06T00:10:09.484989Z",
	"updated_at": "2026-04-10T03:20:51.874228Z",
	"deleted_at": null,
	"sha1_hash": "636bab45ab87f4e354a32905b81878d05c67cc5f",
	"title": "Pekraut - German RAT starts gnawing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 311533,
	"plain_text": "Pekraut - German RAT starts gnawing\r\nBy Karsten Hahn, G DATA Security Center\r\nPublished: 2021-06-15 · Archived: 2026-04-05 21:56:05 UTC\r\n04/02/2020\r\nReading time: 5 min (1429 words)\r\nFeature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released.\r\nWe analyzed the malware in-depth.\r\nWhile searching for new malware via suspicious pathes, a fake svchost.exe in %APPDATA%/Microsoft tipped us off. The\r\nsample[1] is a .NET application which is packed with ConfuserEx. The file was uploaded as netRat.exe to Virustotal. The\r\nsame name is also stated in the file's version information as InternalName and OriginalFilename. Version information also\r\nhas a copyright statement for 2019.\r\nVia similarity search we found a second sample[2] that was uploaded to Virustotal a day later. It is not packed but obfuscated\r\nwith Dotfuscator. Unpacking the ConfuserEx sample[1] results in a file that is almost the same as the second sample[2].\r\nThe obfuscation removed the original names of .NET symbols like classes, variables and methods. We didn't find any non-obfuscated Pekraut sample, so we manually named the symbols based on their usage resulting in sample[3]\r\n. The\r\ndeobfuscated sample[3] is also used for screenshots in this article. Please note that those symbol names aren't part of the\r\noriginal source code and thus do not suffice for signatures.\r\nPekraut RAT's command list\r\nPekraut's client accepts 27 commands. The help command sends a German description for every command to the server.\r\nThe commands themselves are still English, though.\r\nSome commands aren't exactly offering what the explanations are saying. E.g. the dbg command is not fully implemented.\r\nThe class responsible for managing all commands has seven placeholder objects in the command listing (see image below).\r\nThe reason is most likely just a quirky way to place a newline when printing the help string of all commands.\r\nhttps://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nPage 1 of 7\n\nTo sum up, the whole RAT is quite function-rich and fully implemented except for the debugging option. Malware authors\r\nare not excempt from being so confident in their code that precautionary steps are neglected.\r\nThe table below sums up our analysis of the actual implementation for the commands.\r\nCommand Description\r\nspy_cb\r\nWrites the clipboard data or reads and sends it back to the server. Images stored in the\r\nclipboard are also supported.\r\nspy_keylogger\r\nLogs keystrokes. Supports these special keys: VK_OEM_NEC_EQUAL, VK_LShift,\r\nVK_RShift, VK_Scroll, VK_LMenu, VK_RMenu, VK_RControl, VK_LControl\r\nspy_mic Starts and stops recording with a microphone and sends the data to the server.\r\nspy_scr\r\nShows information about a screen or takes a screenshot for a chosen screen and sends it to the\r\nserver.\r\nspy_cam Takes a single picture via webcam or streams webcam to the server.\r\nreg_list Lists all subkeys and values of a given registry key.\r\nreg_del Deletes a registry key/value and sends the deleted key to the server.\r\nreg_read Reads a registry value and sends it to the server.\r\nreg_value Creates/writes a value in the registry.\r\nhttps://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nPage 2 of 7\n\nCommand Description\r\nproc_kill Kills a process via name or ID.\r\nproc_list Sends process names and IDs of all running processes to the server.\r\nproc_start Executes a file via a given path.\r\nfile_delete Deletes a file or folder.\r\nfile_download Downloads a file from a given URL.\r\nfile_info\r\nSends the following information about a file to the server : filename, filename extension, size,\r\ncreation date, last access and the read-only attribute.\r\nfile_list\r\nSends all file and folder names within a folder to the server. Extra option to list all available\r\ndrives.\r\nfile_send Sends a file to the server.\r\nexploit_admin_win10\r\nUses a Windows 10 UAC bypass method to start a given program with admin rights. More\r\ndetails to this later on.\r\npc_cmd Starts a command via cmd.exe and sends the output to the server.\r\npc_shutdown Shuts down the PC.\r\nsysinfo\r\nSends information like the machine name, the username, the OS and processor architecture,\r\nthe screen count, the webcam count and the microphone count to the server.\r\ndbg Option to start an endless-loop. Supposed to debug the client but not fully implemented yet.\r\nexit Disconnects from the server and terminates itself.\r\nhelp Sends all commands / the description of a command to the server.\r\nclient_err Sends the last error to the server.\r\ntasks Sends currently executed commands to the server and has the option to terminate them.\r\nclient_install\r\nInstalls / uninstalls the client by using the procedure outlined in PekrautRAT's install /\r\nuninstall routine.\r\nUAC bypass via ComputerDefaults.exe\r\nPekraut RAT uses a Windows 10 UAC bypass which utilizes ComputerDefaults.exe. The bypass was first mentioned in\r\nOctober 2018 on Packetstormsecurity by Fabien Dromas. It works is as follows:\r\n1. Creating the registry key [HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command]\r\n2. Creating the value [HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute] with no data.\r\n3. Setting the [HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\\(default)] value with the data provided by the\r\nserver. The data is the program to be launched with admin rights.\r\n4. Launching ComputerDefaults.exe.\r\nComputerDefaults.exe will now execute the program since the DelegateExecute value is present. After launching\r\nComputerDefaults.exe, Pekraut will remove all registry traces of the UAC bypass.\r\nhttps://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nPage 3 of 7\n\nPekraut RAT's install / uninstall routine\r\nPekraut RAT contains an installation and uninstallation routine. This Pekraut sample fakes svchost.exe and an update for\r\nInternet Explorer.\r\nInstallation\r\n1. Copies itself to\r\n%USERPROFILE%\\AppData\\Roaming\\Microsoft\\svchost.exe\r\n2. The file attributes of svchost.exe are set to hidden and system. This will make the file invisible from a normal\r\ndirectory listing and makes it part of the system files.\r\n3. The registry value [HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell] by default contains the\r\nstring \"explorer.exe\". Pekraut appends \",%USERPROFILE%\\AppData\\Roaming\\Microsoft\\svchost.exe\" to the string.\r\nThat means after logging in, explorer.exe and the fake svchost.exe will be executed.\r\n4. A windows shortcut file is created at C:\\Users\\\u003cUSERNAME\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\IExplorerUpdate.lnk. It points to\r\n%USERPROFILE%\\AppData\\Roaming\\Microsoft\\svchost.exe.\r\nSince the drive for the shortcut location is hardcoded, this won't work on any systems that are not installed on drive\r\nC:\r\n5. Lastly, it pings 8.8.8.8 a three times to pass time, then deletes its original file and start it's copy\r\n%USERPROFILE%\\AppData\\Roaming\\Microsoft\\svchost.exe.\r\nPart of Pekraut's installation routine that sets a Windows shortcut and adds the executable to Winlogon Shell\r\nUninstallation\r\nhttps://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nPage 4 of 7\n\n1. Restores the default for the registry value [HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell]\r\nby setting the data to \"explorer.exe\".\r\n2. Deletes the previously created shortcut.\r\n3. Lastly, pings 8.8.8.8 to pass time and then deletes itself.\r\nInstall and uninstall settings\r\nInstall and uninstall routines use nine different flags that make it possible to turn certain behaviour on and off easily. There\r\nare also four public static strings that denote the install location, install subfolder, name of the copied files and name of the\r\nwindows shortcut. Those flags and strings are most likely to be set via a malware builder. A summary is in the screenshot\r\nbelow. As you can see all flags are turned on for our sample except the useInstallSubFolder option. If it was turned on, the\r\nfile would be copied to the location\r\n%USERPROFILE%\\AppData\\Roaming\\Microsoft\\\u003cinstallSubFolder\u003e\\svchost.exe\r\nConnection routine of Pekraut\r\nPekraut RAT sets up a socket connection to the server. The connection details are provided in the configuration class (see\r\npicture below).\r\nThe threat actor uses the portfowarding service portmap.io to hide the real IP address of their server. Possibly the server is\r\neven the actors home desktop machine.\r\nThe RAT has different data classes to send or receive the following types of data: a new password for encryption,\r\nkeystrokes, text, images, audio, video, errors, files or authentication info.\r\nText data is encrypted via AES with the password in the configuration. Other data is compressed via zlib.\r\nhttps://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nPage 5 of 7\n\nPekraut RAT is an upcoming threat\r\nWe didn't see any other samples in the wild so far but there are indications that this malware is just about to be released.\r\nThe version number stated in the configuration is 1.1\r\nThe RAT is feature-rich and prepared to be created en masse in modified versions by a builder\r\nOnce a builder is available for criminals, more versions of the malware will be found in the wild\r\nThe way of persistence via fake svchost and a fake Internet Explorer update excludes any benign use as remote\r\naccess tool\r\nWe're social!\r\nIf you want to stay updated about malware, be sure to follow these accounts:\r\nStruppigel - Personal Twitter account from Karsten Hahn.\r\nRansomBleed - Personal Twitter account from Ransombleed.\r\nG DATA CyberDefense – G DATA CyberDefense Twitter account.\r\nIndicators of Compromise\r\nSample hashes\r\nDescription Detection Name SHA256\r\n[1] Pekraut,\r\nConfuserEx packed\r\nMSIL.Backdoor.NetRat.UAPQUG cbc500b76995d36c76d04061c58ceaf93a1880af32be494e5ac1e099663e\r\n[2] Pekraut,\r\nunpacked,\r\nDotfuscator\r\nMSIL.Backdoor.NetRat.ZDZHYY 2dab95abe3460e34954527e88223662a03512938a9a28ab57e7f0a8ec29\r\n[3] Pekraut\r\ndeobfuscated,\r\nsymbol renaming\r\nMSIL.Backdoor.NetRat.IJKLE3 4a89c3676dd86531c1fefb4e76d49cc31dc07a1a68c149dd08967e6fd7f6\r\n[4]\r\nIExplorerUpdate.lnk\r\nWin32.Malware.FakeSvchost.A 9dfffcbfb6537dc051b60f630ed1cd3f768bb0024a8e998752ab9ef6f4c30\r\nFile pathes and registry\r\nhttps://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nPage 6 of 7\n\nC:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IExplorerUpdate.lnk\r\n%APPDATA%\\Microsoft\\svchost.exe\r\n[HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell] = \"explorer.exe,\r\n%APPDATA%\\Microsoft\\svchost.exe\"\r\n[HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute] = \"\"\r\n[HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\\(default)] = \u003cProgram path\u003e\r\nC\u0026C related\r\nPort 37648\r\nAuthentication ID Nga8tG123hragGJjqt10jgag123\r\nPassword used to encrypt commands and logs Ag2asgh2thGas37\r\nRelated articles:\r\nKarsten Hahn\r\nPrincipal Malware Researcher\r\n Content\r\nPekraut RAT's command list\r\nUAC bypass via ComputerDefaults.exe\r\nPekraut RAT's install / uninstall routine\r\nConnection routine of Pekraut\r\nIndicators of Compromise\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nhttps://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing"
	],
	"report_names": [
		"35849-pekraut-german-rat-starts-gnawing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/636bab45ab87f4e354a32905b81878d05c67cc5f.pdf",
		"text": "https://archive.orkl.eu/636bab45ab87f4e354a32905b81878d05c67cc5f.txt",
		"img": "https://archive.orkl.eu/636bab45ab87f4e354a32905b81878d05c67cc5f.jpg"
	}
}