Fake S-400 Rat trojan

Fake S-400 Rat trojan
@E0x4D5AJune 23, 2023
Everything started with someone named UKA posting about a scammer in @RatDevs. I requested the malware from him and he gave me. I opened dnSpy and looked inside. At first, everything was normal, entry point etc. Then after seeing the Form1 (which is main form). I saw that the load event has some sus activities.


Form1_Load event
Also when I tried the execute the exe in my machine, I got “This app can’t run on your PC” error. Since the authors didnt thought much. After making fun of it in @RatDevs I set a breakpoint into the Process.Start line. And started debugging it. In the locals window, since the string is decrypted and also mentioned as @string, I could easily acces what’s inside of it.


Gotcha
The @string variable on locals window showed everything. I downloaded the executable from there. After I drag & dropped it to dnSpy it wasn’t loaded like a normal .NET PE. I thought it may be native but nah, DIE results was saying that it is protected with .NET Reactor. I tried to deobfuscate it. But my time was worthy. I wasn’t going to deal with a VM. Then I switched to dynamic analysis via tria.ge. I uploaded it and started analysing it. I and others died laughing when we saw these…


They didn’t even hide it

Fail

Temp cleanup and the server is gone
Anyways, If you want to analyse it yourself on tria.ge, here is the link: https://tria.ge/230624-bdmv8ahe65/behavioral1



Hey, are you looking for a good RAT? t.me/RevolutionRAT, most unique RAT ever made! Join for more information.


Report content on this page