RAT Decoders

I have talked about decoding RATS several times now in previous posts and if you have read them you will know that im creating Static decoders for the most common Remote Access Trojans.

In this post ill be releasing a handful of the static decoders i have written so far.

I have set up a Repo on GitHub that will hold a collection of Python Scripts that will extract and decode the configuration settings from common rats.

Each of these decoders is already running on http://malwareconfig.com and has additional features that are not included in the scripts. like Snort rules IOC Files and VirusTotal Linking.

You can read more about MalwareConfig.com in upcoming posts or read more here http://malwareconfig.com/about

Current Rats

Here is a list of the currently supported RATS:

  • Adwind
  • Arcom
  • BlackNix
  • Blue Banana
  • Bozok
  • CyberGate
  • DarkComet
  • DarkRat
  • Graeme
  • jRat
  • LostDoor
  • njRat
  • Pandora
  • PoisonIvy
  • Punisher
  • SpyGate
  • SmallNet
  • Vertex
  • VirusRat
  • xtreme

Upcoming Decoders

  • BlackShades
  • NetWire
  • Gh0st
  • Plasma
  • Any Other Rats i can find.


Each Script comes with its own -h option use it :)


There are several modules that are required and each script is different, Please check the individual scripts. This list is a complete listing of all the Python Modules across all decoders

pefile - https://code.google.com/p/pefile/

pycrypto - https://pypi.python.org/pypi/pycrypto/2.6.1

pype32 - https://github.com/crackinglandia/pype32


If you wish to support the project i will happily accept any of the following.

Samples, RAT Build Kits, Existing Decoders, Beer, Thanks.

There are still several Premium Paid Rats that i have not been able to examine yet.

If anyone has access to the BuildKits or is willing to Donate Funds so i can purchase them email me kevin@techanarchy.net or click the button below.


This is the bit I imagine your most interested in the link to the repo.



Before I finish this post, Full credit where credit is due.

Malware.lu for the initial xtreme Rat Writeup - https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) - http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html

Shawn Denbow and Jesse Herts for their paper here - http://www.matasano.com/research/PEST-CONTROL.pdf Saved me a lot of time

VirusShare.com - Providing the samples that allowed me to Bulk Test theses decoders.


As usual Questions Queries Comments below.