A robust, multiprocessing-capable, multi-family RAT config parser/extractor for AsyncRAT, DcRAT, VenomRAT, QuasarRAT, and cloned/derivative RAT families.
This configuration parser seeks to be "robust" in that it does not require the user to know the strain of RAT ahead of time; It simply looks for patterns of a common configuration module that is present in the above-mentioned RAT families as well as several clones and derivatives, parses and decrypts the config within that module, and uses YARA to suggest a possible strain for the payload.
This method of detection and parsing is detailed in the accompanying YouTube code overview video here:
and based on the original AsyncRAT config parser and tutorial here:
Python requirements can be installed with pip:
python -m pip install -r requirements.txt
YARA must be installed separately.
$ python rat_king_parser.py -h
usage: rat_king_parser.py [-h] [-d] [-r] [-y YARA] file_paths [file_paths ...]
positional arguments:
file_paths One or more RAT payload file paths
options:
-h, --help show this help message and exit
-d, --debug Enable debug logging
-r, --recompile Recompile the YARA rule used for family detection prior to running the parser
-y YARA, --yara YARA Uses the *compiled* yara rule at this path to determine the potential family of each payload (uses a prepackaged rule at yara_rules/rules.yarc by default)
A YARA rule for RAT family identification is included with this script in yara_rules
in both raw and compiled forms.
However, using the --yara
flag allows a user to specify their own custom YARA rule to use for identification as well.
If you encounter errors using the included compiled YARA rule (which most often occur due to mismatched YARA versions), the included rule can be recompiled using your local YARA version using the --recompile
flag.
yara_rules/recompile.py
, which is the module called by the --recompile
flag, can also be executed on its own to recompile any YARA rule:
$ python yara_rules/recompile.py -h
usage: recompile.py [-h] [-i INPUT] [-o OUTPUT]
options:
-h, --help show this help message and exit
-i INPUT, --input INPUT
YARA rule to compile
-o OUTPUT, --output OUTPUT
Compiled rule output path
python recompile.py -i my_rule.yar -o my_rule.yarc
$ python rat_king_parser.py ../malz/* | python -m json.tool
[
{
"file_path": "../malz/asyncrat_blank.exe",
"config": {
"Ports": "%Ports%",
"Hosts": "%Hosts%",
"Version": "%Version%",
"Install": "%Install%",
"InstallFolder": "%Folder%",
"InstallFile": "%File%",
"Key": "%Key%",
"MTX": "%MTX%",
"Certificate": "%Certificate%",
"Serversignature": "%Serversignature%",
"Anti": "%Anti%",
"Pastebin": "%Pastebin%",
"BDOS": "%BDOS%",
"Delay": "%Delay%",
"Group": "%Group%"
},
"yara_possible_family": "asyncrat",
"aes_key": "None",
"aes_salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941"
},
{
"file_path": "../malz/asyncrat_encrypted.exe",
"config": {
"Ports": "2400",
"Hosts": "minecraftdayzserver.ddns.net",
"Version": "0.5.8",
"Install": "true",
"InstallFolder": "%AppData%",
"InstallFile": "WinRar.exe",
"Key": "VUpkMU9UTEhRSEVSN2d2eWpLeDJud2Q0STFIcDRXS0U=",
"MTX": "LMAsmxp3mz2D",
"Certificate": "MIIE4DCCAsigAwIBAgIQAM+WaL4OeJIj4I0Usukl1TANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTZXJ2ZXIwIBcNMjQwNDA0MTYzMzA2WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKhz3rO2b0ITSMGvwlS7uWZLVU7cuvYiIyB2WnGxe2SUlT5/pZrRxfX6CVL8t11S5CG3UFMdKDutLiA1amqLDbkqZAjG/g1J+7OPUOBrBWfzpEk/CFCFjmUTlMPwM00DtDp5Ju8ONc09JiaL9Ni3GeYsXza+HZB0WRrgpKnMNu+833ddBOaIgdvB4KicE/S8hSRq5kTNIhiNNZ0nrMFgzaQj0ijyXNTXN7nFCTqRSkWn/2pdveWZLqzTRZ5HsUkeXr2vhSdrrk7KOpHWjqNr2Nhl+bqsIRUhwnthLhj6N1Y94W25j3ATrLR6mjjZTGI2wRm95bMe/7V4DxqV30i6MVrwYMXKcaPO+NHoF9P1lErhCgttEGyWJz2dVJqVCXA+fE8hLyKSUeJSwaBJ36Of/OFGXXMXpUD7eFHNCN2yPVsW1ogS04/xkQUmbWbRjYx/l02+RK/kAK3YsZDuvcLsbKoDq7XJKoBVfvbv5W7jcmMvHHT54PNbmkAUasbtM/+/KhKQe1etOoYd+gOv7tgcNFRVH6N6eSuTxasCYjCr9tSLLmziNalWTknHgBtL/x49BJw6FWwrEE3wsl3C4ALfHQFbtI6sTLdCk7t/oNFUhpVE4kwql5xtOpYpkAj500jGfmVc9Wjy34tON2QLKnzAO87pt8XyANEFQdm3qUJX56KdAgMBAAGjMjAwMB0GA1UdDgQWBBRP67T1n4GPr5zJ0tsXMJ+gL7IawDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBMOPQsFZRxqhZZ344n0qBiatzq/jSmfMsMKWYMTiFHHccrgSc63C+nlVpTSCys2BZaMyocxeWKI+w7NklntQhp058+oN7PVC87xod6uZQyfYG1oCR58+Po4I3lWHVdOWQrkEKf4LTpCtyPXPTccZL3AjYcZWLOvP0gcjRsF2dSGnN1WdTPKHxj+OLSwSxlwTW4WN2wg++OV9cmT4wgaT2jPDqv3twxV+JVwEeXMM7XthJsG8ajToCS3Sf7pXnuOBIBoITQEbi7Iyqm/mJwFmAkcpEXb88rHZnKs+rRzjPRI/XsvlGVVuyiHtvPJL9X+R3VVltvrawBCbmN9K2W21E56Nryip0q4wdcF1jJUHXxAiQo/jcu8fO3RGfs9I6SN54PXSWABS7MvNJU8njC1N3J110cnjTgVMNrgRhBHe6r9CGnN4gm9oKvKL5+0/zZvhUPgYusOHIQmdOdfLo0r7tckUk2D18ufRILcaOqyaHLI7Mri1XEli8Brfjdtv/dlpssh/B2/o3bhBlRVD4oL+EX71Bm6cHEKoCLL6zGySSQosQyZpR2j4qVObb5fK1EnilJG4Qk6mNULZfWVPD9TLsJTHEioV8GibykF5O79kruha/pxFvVnoDJHbTPZEWfuR4cb6YIFbTg9pJrOhUsoyZg41leCrcqHR82XOVB755xfw==",
"Serversignature": "PBjqcvsYypDmnjgUVv1SkvtLx+jFt2V7NyZ+nHik0CWcLbwOwBXD6/3an89d/I7pFAxwZXgSiLunc1yCOocUvymhbMwqT5t/yuj4GdW3a16vZSUuPbvGEOuB2oCgUNrsLWzqshnd1yaTIbNoENLJNS3phGLnQXijbrE2/mSEWbSjLcCWMC7Q52c54RCiBuKPQEhFR1KMUBtSeskObCEqOKY9tYsKKTDYDrQPp32Ho4qArPCDIiefcNiT4k17Dw4srW1OkC3uhSCc7BV1dZA/HJw5gd34pFTeCnJnqY34OmE7sux8mhBjaIXSJMXD81272ngrmGwu6++6DkdLgIx2y3uE6IcUFDQmOgU6T9I0ulogZGGZa1PI3VjBjF4TK27EwzrkR0iKi8Ctn8z/HMXnskviCaui6RlxEzWqOytSfe4m0XHpNN2gHVhKbZwJUr5IwKASOWiXgsOVpkTn8K6PDN22X2rCUigjRsE4/45qhd6BFCa/pXMgCHljHKi5qp13yor91rO9n6NjbO2bP28cexUmUwf03lClGQ2og8q05WWiqHHvLlpHxmy8fZwzniJC3tr6htyPYhGpzo20BMOz/x66tA/+JTC8CFFilvf3PP97KwfqpVNqtnyHVui7QR39E6QvoyNzw+7AxpHCSYx6F9tyWu96pBeSbCrMzXaSV0k=",
"Anti": "false",
"Pastebin": "null",
"BDOS": "false",
"Delay": "3",
"Group": "Default"
},
"yara_possible_family": "asyncrat",
"aes_key": "eebdb6b2b00c2501b7b246442a354c5c3d743346e4cc88896ce68485dd6bbb8f",
"aes_salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941"
},
{
"file_path": "../malz/dcrat2.exe",
"config": {
"Por_ts": "2525",
"Hos_ts": "20.200.63.2",
"Ver_sion": " 1.0.7",
"In_stall": "false",
"Install_Folder": "%AppData%",
"Install_File": "",
"Key": "dU81ekM1S2pQYmVOWWhQcjV4WlJwcWRkSnVYR2tTQ0w=",
"MTX": "DcRatMutex_qwqdanchun",
"Certifi_cate": "MIICMDCCAZmgAwIBAgIVANpXtGwt9qBbU/pdFz8d/Pt6kzb7MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDIxNzA5MjAzM1oXDTMxMTEyNzA5MjAzM1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKt8nE3x/0XYeyDBrDPxdpVH1EMWSVyndAkdVChKaWQFOAAs4r/UeTmw8POG3jUz/XczWBWJt9Vu4Vl0HJN3ZmRIMr75FDGyieel0Vb8sn0hZcABsNr8dbbzfi+eoocVAyZKd79S0mOUinl4PBhldyUJCvanCnguHux8c2F5vnQlAgMBAAGjMjAwMB0GA1UdDgQWBBRjACzYO/EcXaKzlTz8Oq34J5Zq8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACA8urqJU44+IpPcx9i0Q0Eu9+qWMPdZ09y+6YdumC6dun1OHn1I5F03YqYCfCdq0l3XpszJlYYzPnPB4ThOfiKUwJ1HJWS2lgWKfd+CdSWCch0c2dEE1Pao+xyNcNpuphBraHZYc4ojekgeQ8MSdHVo/YCYpmaJbxFWDhFgr3Lh",
"Server_signa_ture": "c+KGE0Aw1XRgjGe2Kvay1H3VgUgqKRYGit46DnCR6eW/g+kO+H5oRsfBNkVizj0Q862zTXvLkWZ+ON84bmYhBy3o5YQOPaPyAIXha4ByY150rYRXKkzBR47RkTx616bLYUhqO+PqqNOii9THobbo3zAtwjxEoEWr8s0MLGm2AfE=",
"Paste_bin": "null",
"BS_OD": "false",
"De_lay": "1",
"Group": "16JUNIO-PJOAO",
"Anti_Process": "false",
"An_ti": "false"
},
"yara_possible_family": "dcrat",
"aes_key": "3915b12d862a41cce3da2e11ca8cefc26116d0741c23c0748618add80ee31a5c",
"aes_salt": "4463526174427971777164616e6368756e"
},
{
"file_path": "../malz/quasarrat.exe",
"config": {
"\u5bd8\ue8b1\u8902\u4ab3\ue28f\ua5c9\u9297\ufffd\ua748\u954b\u5801\uccda\u71f1\u7314\u754f\u2036\ud518\u34c4\u0bd2\uabfc": "1.4.1",
"\ubd74\ua2b2\u88b9\uf912\u680a\u6e1c\u9c57\ufffd\u7f1d\ufa03\uad9d\uefae\uede0\u9540\u0199\uead7\u8879\u6442\u4d27\uc296": "10.0.0.61:4782;24.67.68.3:4782;",
"\uaf32\u50ed\ud35f\ue8c1\u8116\ua100\u61aa\u446a\ub74a\ufffd\u1029\ue028\u87a5\u9c32\u6a2d\u643c\u2535\ufffd\uef1b\uf76e": 3000,
"\u8f62\u4a09\u6500\u8f63\ua128\ud6e8\u89c5\ubc5b\u31cd\u663a\u704a\u4531\u4a66\u83fc\u4a96\u302a\ube31\ubebd\u19e8\u02f8": "APPLICATIONDATA",
"\u07ef\uab1b\ube45\u54a8\u874d\ue0e0\ucca0\u790d\ueb38\u5e8c\u7e34\u730f\u810b\u520f\uf143\u7e8b\u8718\u1ab1\u43ec\ub81d": "SubDir",
"\u1b53\u2db6\u7a71\u05f5\u15fe\u5dbb\ud45e\ue70f\uc163\uf217\uc3f5\ue4e6\uf509\u7212\uc5a2\uee2c\uccf1\u45a8\u4489\u911b": "GloomTool.exe",
"\u02b9\u175e\uc513\u9240\u1d5d\ub37e\u7a20\u7dd8\u1709\u68f4\u685b\u0a03\ue1ef\ua892\u0f61\u536b\u0354\ubec7\u3be8\u6095": true,
"\ucef8\ufffd\ud372\ue90d\u611b\u6b37\u53e3\uc3d8\ud442\uc0ca\u02bf\u1477\u82fd\u2449\uc82b\u73dd\u319c\u4a3c\u1d46\u8f98": true,
"\u5602\u18be\u066a\uffc6\u116d\uee93\u7b71\u51f6\uc63f\ue0f2\u5dbb\ufb61\uf17c\u085b\u0b6d\u1784\u24b7\u5a29\u62a2\u843d": "9fdd3e80-d560-431b-b526-3ebbc1799110",
"\u9ff4\ufffd\u86bf\u3143\uc7c4\u1f9a\ub115\u86df\u987b\ua045\u3287\u646f\ud08b\u62de\ubee7\u2270\u1e3a\uec69\ub7cc\u8007": "WindowsAV",
"\ub6ca\u3566\u419d\u1762\u554d\u2999\ue26d\u2649\u66d7\uae3f\ua1a8\u0df6\u5d48\ufffd\u0861\u1386\u6def\u678d\u5cbd\uadcc": true,
"\u6c44\ub609\u68c0\ud49b\u9e28\u8fdc\u286e\ub4b3\ue333\u5c6e\u4ab9\uffa2\u7b4e\u06b9\u0a27\u8ed8\u765d\ub817\u4809\u6fac": true,
"\uab42\u38e0\ucdfc\u0a20\u97f7\u1505\ub1b7\u5d18\u59c3\u36f1\ua70a\u8e85\ud489\uf6bb\ua390\u233d\uabff\u3c76\uf888\u2974": "5F91B88C67A9ACF78B2396771B3B6F2B4615CA57",
"\uc238\uc713\u338a\u6dd8\ua951\u123a\u08d3\u4de2\u34e6\uee25\u6392\u6eb3\u6600\u8b93\ud1fe\u4bea\ud6f2\uee6e\ufffd\u0fc5": "Office04",
"\ub9d6\u27d1\u15fd\u6565\u60bc\ufffd\ub07b\ub445\u85bf\u4d12\u23af\ufffd\u5766\ucc79\uf138\ud0cf\u7405\u37d8\ueed4\u4e44": "Logs",
"\u28ff\u5da4\uba02\u3368\u0311\ud328\u719f\u587e\ue088\u40ad\u1abe\ufffd\ubc83\uff49\ufffd\uf39d\u1489\u83dc\uecb4\u08a7": "KQrwmpZSwOF20ZdNZlVJ7YjgErzUf9cophPOCAULRI4gSid7qeSaRL4LhhUXzEq1JuUlkRR7WTjztBsmwCRqORdxEBFwd1fMTsYFf4COj4yN1sbvc5Yb1qvk6IELnzse14eXVS+y1AbwCOGBEa1P6H2C2X2xH6jZRBMPaFsohcV0z20ZzWpdJw+aQZ/SSbMvE1YFN5o37y3MzAW/nErdZyxLA7t9eTsca+RLT8uHgqU0iEd4Mz1iHUWA2gYY+uPzV1I3oU8LHrWhXnXRhutbShZ80KbE+tfr7XLAIwwol00moTd7GaL4vd/ZeOa3z3nmVO2GxIRMWCmiX52l5MutcuR/nAAR1k+W2ScaAoxXzpb6pwOwccooFty0lpRoO6RMT+g1ux+jwKn4RpH1baEAmA6cu8W2l1mr8dwZ3ra094dUKEdITKRKEviworYIRWDS9w2618tVfRhccHNsbIIp5qZMumne0OVE+FK6rjPZM/Q4OR7++1AQUNiavCOsY6/sbxdb+K43x2PrxzJAPoU33qF2fzXaSIEgbmlqkZFdFOhSVHay5F4lmuvHUGRXmhs37quo874DaCA5phI3aCP8VXIFkHyjOJelIR9wlfsdNY5yOoA2POnFt1Y24YzoPZt3Mc/Nqv74z/cE3LXrJHsgivyZV25nqpiCHL704AfoRpo=",
"\ufaea\u4908\u9188\u6146\uc2d4\u46be\u6a0e\u6405\uccf6\u7a36\uc15c\u5dba\u1927\u670f\u117e\u3e11\uf326\u3f3f\ud664\u56f8": "MIIE9DCCAtygAwIBAgIQAIhqXB+nLwd+VvEk3rjLsTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQwNTIyNDkxN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArk3R4LAyzBp+YXIUqxBNyT/R94en+jU7NTtJGsCG7I6Tp2ZV6mdTOynApeBLs6RvgIpzxPIbjA7HMoQqRxBDKREcRZJCnK3NdMl+8ZMKU4OLBWINwW4fvZRu2spC79MYiIsKOXRDsfCelPs1llHTbD4b4c+PzbpcGA5gI+luZ6+OKajkGbAKdppse5EdPh+KrE6r74nAJiK9PdvfF1H7XwOVpFChxcYZJmZTG8hfrSFQ/0mSi0CobU71vj8fVkhX0EOVSv/KoilBScsXRYbvNY/uEzS+9f0xsYK5AgJQcUYWLthqKSZbo3T1WecBHKynExf8LbFpC42ACyPbZXtAYt1lyBXyLW8TZS65yquhcVio/ZgAG05WGn+TeA6M+CxNkEZNvgd5PDuBkF6X13w3OXGFOL7i4KBJifSMRyJaqp9i6ksAY8epDRHP1WOXDxnQ8ak+4jyPC6WSZFnGV3DT7lZahvkIaNR8OPR8suOoUWk8Jl9Fxx+DBa6RK3Ht96YkPAf8rY84Hjjp4xp1OF6q88W1YaYo9NtPK+5fkf2pFqa+RC7v3RKgsis3/1xYeBZ8expiCdm5hKTRx0tAkG5bLzC6/Em8cHqCR6lmbPuHgA4ijByU6fLD1JdmwqAcjpy9OIdB8L+G7X8kAu5+WUe5BMiIE6EYvJi3Rpg2fz5Nt9UCAwEAAaMyMDAwHQYDVR0OBBYEFI40k9gCti/BlRy3dUVqsbe3OhMxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAAXYckulFdYnmtdh24egkttF9h/0AD87o9kAnRwJVu3nu12R+FwJgaihvAQZiKQ4kgTkP//ag9E60xwyzEcj00/yZGzjMAAXONZoEyeCxEF5cMjbtmqLWsFkRaHEpWtcczJ2BChEnFDgoGF2I6TOlr7OGoJnzHmz43bY9dkpDJ+tqIZu5AwoMG4WMoNe+by66G2S1AjyVVimIJA7at12EMIUizO0Qov+iBFHSDiVwOZlUxhfu9TNKwIgQdSLHnTaBg03VFHpLZ63Qtmr12LwTEOUyVSnJXEsgZISQ0abMCaped6jwpR7+VlpU4SGfyBU8caFphJafdgVzhmztrTpYMUJE44d50+5ue9us2H2IH+26/+yBbQdffzp1LAFfYgjOE7k8EFjU3ayPaTN7ORtjCyNzhYRvjUCuopb0rWhJsQQRQJzkblrYJ/ocSfNGUQOoJpykyD1QiGboE11xIPheLYetZrRtkmNtFuVeKg9z7AB1ahxEcNGT/MW/wkxUe500cBLVTFeZtsMl7WYB6iUSxboQ8zZ8eWCDS2hYOxKfxfr54p4AW24Y267djKnAfpnMIsgJzjcDxvGGMBlwcrxb0vM0w+9K2R+M17r4bldxnStJj2Wtgal1TBVP1XexZgarfXw3HstKjhbFH6cb4g7ZW4wdCYE5XA6qZL00XpuSy4t",
"\u6482\u55cc\u0c00\u6e0c\ub0cb\u2739\uc5f3!\ufffd\ue2a4\u6690\uc017\uc09a\u7623\uad2b\ua765\u0d61\u73c1\u4b66\u438d": true,
"\uab2a\u1e1c\u930c\u29e5\u7430\u951c\u8251\ub2c5\ue36d\uc373\u5b93\u5e42\uc8fa\u499b\ufffd\u1786\u8f36\uef98\u8dc2\u6926": true,
"\ub27b\ud270\ufffd\u355e\u1622\u7519\u9d96\u7364\uc9d0\u1fde\u52a9\uba41\u1e31\u6312\u8c77\u2adf\u168a\ub8ea\u6141\u6a1f": "",
"\uebb2\u4c72\uf95a\ufffd\ufffd\ua787\u4955\u9b1b\ufffd\u884c\ufcc4\ue409\u5744\ub527\u981c\ue9ca\ucb25\u79b8\u7ada\u23fa": "",
"\u5254\u58f4\u661a\ucf1c\ua701\uea1d\u2f73\u5f72\u61d4\u5da5\u9863\u785d\u82b9\u6196\u9e96\uf4a6\u6ee1\u5883\ua878\uf173": true
},
"yara_possible_family": "quasarrat",
"aes_key": "b30cea630f7fac6c2e066ce7f29e1b4bab548ee95b20ff6aa7387ce14df5dc30",
"aes_salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941"
},
{
"file_path": "../malz/venom64.exe",
"config": {
"Por_ts": "4449,7772",
"Hos_ts": "127.0.0.1",
"Ver_sion": "Venom RAT + HVNC + Stealer + Grabber v6.0.3",
"In_stall": "false",
"Install_Folder": "%AppData%",
"Install_File": "",
"Key": "M1NoWkREazBvNTNGUkRlT0s4TjE1QlRRQmx4bW1zd2U=",
"MTX": "qmhvogiycvwh",
"Certifi_cate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz",
"Server_signa_ture": "BW9mNNWdLZ+UgmfSTOot753DE24GfE+H6HYG5yl4IFszdMLpfQXijxVlt3bcz68PrHwYG2R70J+h9EVUXPjNw2GgCH5I8BvOw6Luh09VjE3YrfERSa2NKJ7baO9U9NDhM4HaSUCUvXGbR6J0itLe+2YthV7GXSCEbbmfZI9UYKU=",
"Paste_bin": "null",
"BS_OD": "false",
"Hw_id": 335806464,
"De_lay": "1",
"Group": "Default",
"Anti_Process": "false",
"An_ti": "false"
},
"yara_possible_family": "venomrat",
"aes_key": "11ed70df5ce22de750c6e7496fa5c51985c321d2d9dd463979337af003644f41",
"aes_salt": "56656e6f6d524154427956656e6f6d"
},
{
"file_path": "../malz/venomrat.exe",
"config": {
"Por_ts": "4449",
"Hos_ts": "127.0.0.1",
"Ver_sion": "Venom RAT + HVNC + Stealer + Grabber v6.0.3",
"In_stall": "false",
"Install_Folder": "%AppData%",
"Install_File": "speedy",
"Key": "TzY1S0thald3UGNURmJTYjNSQVdBYlBQR2tTdUFaTTg=",
"MTX": "ypxcfziuep",
"Certifi_cate": "MIICNjCCAZ+gAwIBAgIVALWZXeRliC16frxuoSrGsVJO4U2tMA0GCSqGSIb3DQEBDQUAMGcxFTATBgNVBAMMDHNwZWVkeSBkcmVhbTETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDYyNjEzNDc0OFoXDTM0MDQwNDEzNDc0OFowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2DCquy6CwL8H/T1Wi72pbKLyGQdoXBDSKpGyIfLgX5091jBQYbvFbROqt6FjbN52GSpnmd4N8TnQE6KGqTmmSmaf/nxMSNcV1sjhxm7NTfnP9vo/vnZngCmzVr91S9REqlKCiotdkIYWqbdwkmYTuqSdHaicP7Tf0H8oOYZIc5AgMBAAGjMjAwMB0GA1UdDgQWBBS/OFCWU/dcBWOe+i6ERcFdHDOwITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIT79sUZm5Je3T7yc9GS+pgzsgtf8OXakm0DrY41uytJgXzgi2E/bWIBja4DyuAddL0ziDCamqDQuFA1MhFNki/X0uKgu1ArxZeXlwKqpDv7ihWRqWrE3rHYha0ALSP8DN0Asmpc4FGnrfhoeoLYXRo8EqH+6ctIkggM8OiBYSTm",
"Server_signa_ture": "Sn1WeJuN+Ypb6kUw4QirT1RzbwUEoeSYTmJAIlg0LayMd/VSwAo+0LnnT/g5HFx4QrqaM689CvKqUNfotQb9cPj05dfgrV3SplVDt5twnK6f8nnScqI8trTCmprH1gnOcoKcY8039kFo9dEj+eOiaBF451W181I5fPJd4Uug1bY=",
"Paste_bin": "null",
"BS_OD": "false",
"Hw_id": 335806464,
"De_lay": "1",
"Group": "Default",
"Anti_Process": "false",
"An_ti": "true"
},
"yara_possible_family": "venomrat",
"aes_key": "86cfd98ca989924e7a9439902dc6a72e315da09c11b100c39cd59b9c9372b192",
"aes_salt": "56656e6f6d524154427956656e6f6d"
}
]
If you have suggestions for improvement, bugs, feedback, or additional RAT families that use a similar configuration format as AsyncRAT, QuasarRAT, VenomRAT, DcRAT, etc. that are not yet supported, please send me a message on Mastodon, YouTube, or submit an Issue or PR in this repo.
Also, if this tool or video tutorial was helpful to you, that's always nice to hear as well!
Thank you!