Mahesh Sudula

Level 17
Verified
Hello,
If im not wrong , i think you are Karsten Hahn (Malwr analyst from G data labs).
I was on reading in byte code analysis of a german RAT and got this?

1587986303245.png

Pekraut - German RAT starts gnawing

Pekraut - German RAT starts gnawing
04/02/2020
Feature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released. We analyzed the malware in-depth.
While searching for new malware via suspicious pathes, a fake svchost.exe in %APPDATA%/Microsoft tipped us off. The sample[1] is a .NET application which is packed with ConfuserEx. The file was uploaded as netRat.exe to Virustotal. The same name is also stated in the file's version information as InternalName and OriginalFilename. Version information also has a copyright statement for 2019.
PortexAnalyzer output for ConfuserEx packed Pekraut sample PortexAnalyzer output for ConfuserEx packed Pekraut sample
PortexAnalyzer output for unpacked Pekraut sample PortexAnalyzer output for unpacked Pekraut sample
Via similarity search we found a second sample[2] that was uploaded to Virustotal a day later. It is not packed but obfuscated with Dotfuscator. Unpacking the ConfuserEx sample[1] results in a file that is almost the same as the second sample[2].
The obfuscation removed the original names of .NET symbols like classes, variables and methods. We didn't find any non-obfuscated Pekraut sample, so we manually named the symbols based on their usage resulting in sample[3]. The deobfuscated sample[3] is also used for screenshots in this article. Please note that those symbol names aren't part of the original source code and thus do not suffice for signatures.
Pekraut RAT's command list
Pekraut's client accepts 27 commands. The help command sends a German description for every command to the server. The commands themselves are still English, though.
Some commands aren't exactly offering what the explanations are saying. E.g. the dbg command is not fully implemented.
The class responsible for managing all commands has seven placeholder objects in the command listing (see image below). The reason is most likely just a quirky way to place a newline when printing the help string of all commands.
Command listing of Pekraut

To sum up, the whole RAT is quite function-rich and fully implemented except for the debugging option. Malware authors are not excempt from being so confident in their code that precautionary steps are neglected.
The table below sums up our analysis of the actual implementation for the commands.
CommandDescription
spy_cbWrites the clipboard data or reads and sends it back to the server. Images stored in the clipboard are also supported.
spy_keyloggerLogs keystrokes. Supports these special keys: VK_OEM_NEC_EQUAL, VK_LShift, VK_RShift, VK_Scroll, VK_LMenu, VK_RMenu, VK_RControl, VK_LControl
spy_micStarts and stops recording with a microphone and sends the data to the server.
spy_scrShows information about a screen or takes a screenshot for a chosen screen and sends it to the server.
spy_camTakes a single picture via webcam or streams webcam to the server.
reg_listLists all subkeys and values of a given registry key.
reg_delDeletes a registry key/value and sends the deleted key to the server.
reg_readReads a registry value and sends it to the server.
reg_valueCreates/writes a value in the registry.
proc_killKills a process via name or ID.
proc_listSends process names and IDs of all running processes to the server.
proc_startExecutes a file via a given path.
file_deleteDeletes a file or folder.
file_downloadDownloads a file from a given URL.
file_infoSends the following information about a file to the server : filename, filename extension, size, creation date, last access and the read-only attribute.
file_listSends all file and folder names within a folder to the server. Extra option to list all available drives.
file_sendSends a file to the server.
exploit_admin_win10Uses a Windows 10 UAC bypass method to start a given program with admin rights. More details to this later on.
pc_cmdStarts a command via cmd.exe and sends the output to the server.
pc_shutdownShuts down the PC.
sysinfoSends information like the machine name, the username, the OS and processor architecture, the screen count, the webcam count and the microphone count to the server.
dbgOption to start an endless-loop. Supposed to debug the client but not fully implemented yet.
exitDisconnects from the server and terminates itself.
helpSends all commands / the description of a command to the server.
client_errSends the last error to the server.
tasksSends currently executed commands to the server and has the option to terminate them.
client_installInstalls / uninstalls the client by using the procedure outlined in PekrautRAT's install / uninstall routine.
 
Top