| Name | rat-king-parser JSON |
| Version |
4.0.1
JSON |
| download |
| home_page | None |
| Summary | A robust, multiprocessing-capable, multi-family RAT config parser/config extractor for AsyncRAT, DcRAT, VenomRAT, QuasarRAT, XWorm, Xeno RAT, and cloned/derivative RAT families. |
| upload_time | 2024-12-30 04:07:57 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.10 |
| license | Copyright (c) 2024 Jeff Archer Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| keywords |
asyncrat
dcrat
malware
parser
quasarrat
venomrat
xenorat
xworm
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# The RAT King Parser
A robust, multiprocessing-capable, multi-family RAT config parser/extractor, tested for use with:
- AsyncRAT
- DcRAT
- VenomRAT
- QuasarRAT
- XWorm
- XenoRat
- Other cloned/derivative RAT families of the above
This configuration parser seeks to be "robust" in that it does not require the user to know anything about the strain or configuration of the RAT ahead of time:
It looks for common configuration patterns present in the above-mentioned RAT families (as well as several clones and derivatives), parses and decrypts the configuration section, using brute-force if simpler patterns are not found, and uses YARA to suggest a possible family for the payload.
The original (much less robust) version of this parser is detailed in the accompanying YouTube code overview video here:
- https://www.youtube.com/watch?v=yoz44QKe_2o
and based on the original AsyncRAT config parser and tutorial here:
- https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser
## Usage
### Installation
As of `v3.1.2`, the RAT King Parser is now available on PyPI and can be installed via `pip`:
```bash
pip install rat-king-parser
```
Note that YARA must be [installed separately](https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara).
### Usage Help
```
$ rat-king-parser -h
usage: rat-king-parser [-h] [-v] [-d] [-n] [-r] [-y YARA] file_paths [file_paths ...]
positional arguments:
file_paths One or more RAT payload file paths
options:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-d, --debug Enable debug logging
-n, --normalize Attempt to translate common variations of config keys to normalized field names
-r, --recompile Recompile the YARA rule file used for family detection prior to running the parser
-y, --yara YARA Uses the *compiled* yara rule at this path to determine the potential family of each payload (uses a prepackaged rule at rules.yarc by default)
```
### Using YARA for Payload Identification
A [YARA](https://yara.readthedocs.io/en/latest/) rule for RAT family identification is included with this script in `yara_utils` in both raw and compiled forms.
However, using the `--yara` flag allows a user to specify their own custom YARA rule (in compiled form) to use for identification as well.
If you encounter errors using the included compiled YARA rule (which most often occur due to mismatched YARA versions), the included rule can be recompiled using your local YARA version by specifying the `--recompile` flag.
`yara_utils/recompile.py`, which is the script invoked by the `--recompile` flag, can also be executed on its own to (re)compile any YARA rule:
```
$ python yara_utils/recompile.py -h
usage: recompile.py [-h] [-i INPUT] [-o OUTPUT]
options:
-h, --help show this help message and exit
-i INPUT, --input INPUT
YARA rule to compile
-o OUTPUT, --output OUTPUT
Compiled rule output path
```
```bash
python recompile.py -i my_rule.yar -o my_rule.yarc
```
### External Integrations
As of `v3.1.0`, RAT King Parser has introduced additional, optional wrapper extractors for integration with some external services.
These currently include:
- [MACO](https://github.com/CybercentreCanada/Maco): The Canadian Centre for Cyber Security's malware config extractor framework, which allows RAT King Parser to be integrated with MACO-compatible tools like [AssemblyLine](https://github.com/CybercentreCanada/assemblyline) (though RAT King Parser is already integrated in AssemblyLine's configuration extraction service without need for further configuration)
In order to utilize these extractors, the optional dependencies for a particular extractor must be installed.
This can be completed with `pip` by referencing the specific optional dependency group to install; For example:
```bash
pip install "rat_king_parser[maco] @ git+https://github.com/jeFF0Falltrades/rat_king_parser.git"
```
## Example Input/Output
```bash
$ rat-king-parser -n dangerzone/* | jq
```
```json
[
{
"file_path": "dangerzone/034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e",
"sha256": "034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e",
"yara_possible_family": "dcrat",
"key": "3915b12d862a41cce3da2e11ca8cefc26116d0741c23c0748618add80ee31a5c",
"salt": "4463526174427971777164616e6368756e",
"config": {
"Ports": [
"2525"
],
"Hosts": [
"20.200.63.2"
],
"Version": " 1.0.7",
"In_stall": "false",
"Install_Folder": "%AppData%",
"Install_File": "",
"Key": "dU81ekM1S2pQYmVOWWhQcjV4WlJwcWRkSnVYR2tTQ0w=",
"Mutex": "DcRatMutex_qwqdanchun",
"Certifi_cate": "MIICMDCCAZmgAwIBAgIVANpXtGwt9qBbU/pdFz8d/Pt6kzb7MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDIxNzA5MjAzM1oXDTMxMTEyNzA5MjAzM1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKt8nE3x/0XYeyDBrDPxdpVH1EMWSVyndAkdVChKaWQFOAAs4r/UeTmw8POG3jUz/XczWBWJt9Vu4Vl0HJN3ZmRIMr75FDGyieel0Vb8sn0hZcABsNr8dbbzfi+eoocVAyZKd79S0mOUinl4PBhldyUJCvanCnguHux8c2F5vnQlAgMBAAGjMjAwMB0GA1UdDgQWBBRjACzYO/EcXaKzlTz8Oq34J5Zq8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACA8urqJU44+IpPcx9i0Q0Eu9+qWMPdZ09y+6YdumC6dun1OHn1I5F03YqYCfCdq0l3XpszJlYYzPnPB4ThOfiKUwJ1HJWS2lgWKfd+CdSWCch0c2dEE1Pao+xyNcNpuphBraHZYc4ojekgeQ8MSdHVo/YCYpmaJbxFWDhFgr3Lh",
"Server_signa_ture": "c+KGE0Aw1XRgjGe2Kvay1H3VgUgqKRYGit46DnCR6eW/g+kO+H5oRsfBNkVizj0Q862zTXvLkWZ+ON84bmYhBy3o5YQOPaPyAIXha4ByY150rYRXKkzBR47RkTx616bLYUhqO+PqqNOii9THobbo3zAtwjxEoEWr8s0MLGm2AfE=",
"Paste_bin": "null",
"BS_OD": "false",
"Hw_id": "null",
"De_lay": "1",
"Group": "16JUNIO-PJOAO",
"Anti_Process": "false",
"An_ti": "false"
}
},
{
"file_path": "dangerzone/0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4",
"sha256": "0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4",
"yara_possible_family": "asyncrat",
"key": "564eced38c73ee8089d8bcc951f28c0589a54388a4058b0da1d9c4d94514518f",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"TelegramToken": "7153134069:AAHd4riTPdhAdVGBwo16vJQ5H3eORu5QAEo",
"TelegramChatID": "1863892139",
"Ports": [
"6606",
"7707",
"8808"
],
"Hosts": [
"127.0.0.1"
],
"Version": "",
"Install": "false",
"InstallFolder": "%AppData%",
"InstallFile": "",
"Key": "Uk9tU0hKZUlVdXBwek1tV3NqYnBLYVRYcklWQXB5c0I=",
"Mutex": "AsyncMutex_6SI8OkPnk",
"Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=",
"Serversignature": "b4TmzraaQMXPVpdfH6wgqDtnXhWP9SP6GdUMgvKSpjPlWufiGM88XWg3Wnv1bduWRMUOAIBN31gAe/SRIhAhdCJU0h6nvqjBUKQsnrg3kT6d2beUtwLDhWWqGa3i9Nta72fkbikM65DIkUwjGtnZy3THx83+doN/+cwe9ZlhKc7TqGF9klOT0nQ9JFUi3Gn6uDzwhA7vicj1WyfM15QxLp0ZvTojgjjFUC2BVkr+mDvuuQ4OR0h4qOgl/AXOYfZwKMfvnwijdP/qqpeG+X73rXZxeDawcTMYqvWH+hOiksgsh2C9V/iN8Sjye/A6rKewmHMUozpakMjP+TjES8kwT70+vJ/uS3ugCZUjT6sOqqLl+LyQyzSpGdVJJQB/fPrYTlWTJwpXdxk8V+eqcdCf/mpeYyQnyGaFVc2whfLAN0r2aPigRQNmsY7Faom/CeNc98zIBf9Nt+KR3FfyFuYabZn5zQcYNAq6D0MVRbKQsU3eyGWN+JI24PQUloheBFJvimpBqMMRVWDLsQq82TpExWJoT47fBrzZj/6LE10vKwl6TNiE81fkglcc93ErbH1KCdXxUaxKVePUIypEaohzXkv88h7P6gjhm2Crey8mUkir408At+5Xl8hQE1ozQN0e5le2gIdxX+oFkTFDrzd65MAdKiZ7rqauNMb4aM+bEeM=",
"Anti": "false",
"Pastebin": "null",
"BDOS": "false",
"Hwid": "null",
"Delay": "3",
"Group": "Default"
}
},
{
"file_path": "dangerzone/0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e",
"sha256": "0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e",
"yara_possible_family": "asyncrat",
"key": "None",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"Ports": [
"%Ports%"
],
"Hosts": [
"%Hosts%"
],
"Version": "%Version%",
"Install": "%Install%",
"InstallFolder": "%Folder%",
"InstallFile": "%File%",
"Key": "%Key%",
"Mutex": "%MTX%",
"Certificate": "%Certificate%",
"Serversignature": "%Serversignature%",
"Anti": "%Anti%",
"Pastebin": "%Pastebin%",
"BDOS": "%BDOS%",
"Hwid": "null",
"Delay": "%Delay%",
"Group": "%Group%"
}
},
{
"file_path": "dangerzone/6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412",
"sha256": "6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412",
"yara_possible_family": "asyncrat",
"key": "eebdb6b2b00c2501b7b246442a354c5c3d743346e4cc88896ce68485dd6bbb8f",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"Ports": [
"2400"
],
"Hosts": [
"minecraftdayzserver.ddns.net"
],
"Version": "0.5.8",
"Install": "true",
"InstallFolder": "%AppData%",
"InstallFile": "WinRar.exe",
"Key": "VUpkMU9UTEhRSEVSN2d2eWpLeDJud2Q0STFIcDRXS0U=",
"Mutex": "LMAsmxp3mz2D",
"Certificate": "MIIE4DCCAsigAwIBAgIQAM+WaL4OeJIj4I0Usukl1TANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTZXJ2ZXIwIBcNMjQwNDA0MTYzMzA2WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKhz3rO2b0ITSMGvwlS7uWZLVU7cuvYiIyB2WnGxe2SUlT5/pZrRxfX6CVL8t11S5CG3UFMdKDutLiA1amqLDbkqZAjG/g1J+7OPUOBrBWfzpEk/CFCFjmUTlMPwM00DtDp5Ju8ONc09JiaL9Ni3GeYsXza+HZB0WRrgpKnMNu+833ddBOaIgdvB4KicE/S8hSRq5kTNIhiNNZ0nrMFgzaQj0ijyXNTXN7nFCTqRSkWn/2pdveWZLqzTRZ5HsUkeXr2vhSdrrk7KOpHWjqNr2Nhl+bqsIRUhwnthLhj6N1Y94W25j3ATrLR6mjjZTGI2wRm95bMe/7V4DxqV30i6MVrwYMXKcaPO+NHoF9P1lErhCgttEGyWJz2dVJqVCXA+fE8hLyKSUeJSwaBJ36Of/OFGXXMXpUD7eFHNCN2yPVsW1ogS04/xkQUmbWbRjYx/l02+RK/kAK3YsZDuvcLsbKoDq7XJKoBVfvbv5W7jcmMvHHT54PNbmkAUasbtM/+/KhKQe1etOoYd+gOv7tgcNFRVH6N6eSuTxasCYjCr9tSLLmziNalWTknHgBtL/x49BJw6FWwrEE3wsl3C4ALfHQFbtI6sTLdCk7t/oNFUhpVE4kwql5xtOpYpkAj500jGfmVc9Wjy34tON2QLKnzAO87pt8XyANEFQdm3qUJX56KdAgMBAAGjMjAwMB0GA1UdDgQWBBRP67T1n4GPr5zJ0tsXMJ+gL7IawDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBMOPQsFZRxqhZZ344n0qBiatzq/jSmfMsMKWYMTiFHHccrgSc63C+nlVpTSCys2BZaMyocxeWKI+w7NklntQhp058+oN7PVC87xod6uZQyfYG1oCR58+Po4I3lWHVdOWQrkEKf4LTpCtyPXPTccZL3AjYcZWLOvP0gcjRsF2dSGnN1WdTPKHxj+OLSwSxlwTW4WN2wg++OV9cmT4wgaT2jPDqv3twxV+JVwEeXMM7XthJsG8ajToCS3Sf7pXnuOBIBoITQEbi7Iyqm/mJwFmAkcpEXb88rHZnKs+rRzjPRI/XsvlGVVuyiHtvPJL9X+R3VVltvrawBCbmN9K2W21E56Nryip0q4wdcF1jJUHXxAiQo/jcu8fO3RGfs9I6SN54PXSWABS7MvNJU8njC1N3J110cnjTgVMNrgRhBHe6r9CGnN4gm9oKvKL5+0/zZvhUPgYusOHIQmdOdfLo0r7tckUk2D18ufRILcaOqyaHLI7Mri1XEli8Brfjdtv/dlpssh/B2/o3bhBlRVD4oL+EX71Bm6cHEKoCLL6zGySSQosQyZpR2j4qVObb5fK1EnilJG4Qk6mNULZfWVPD9TLsJTHEioV8GibykF5O79kruha/pxFvVnoDJHbTPZEWfuR4cb6YIFbTg9pJrOhUsoyZg41leCrcqHR82XOVB755xfw==",
"Serversignature": "PBjqcvsYypDmnjgUVv1SkvtLx+jFt2V7NyZ+nHik0CWcLbwOwBXD6/3an89d/I7pFAxwZXgSiLunc1yCOocUvymhbMwqT5t/yuj4GdW3a16vZSUuPbvGEOuB2oCgUNrsLWzqshnd1yaTIbNoENLJNS3phGLnQXijbrE2/mSEWbSjLcCWMC7Q52c54RCiBuKPQEhFR1KMUBtSeskObCEqOKY9tYsKKTDYDrQPp32Ho4qArPCDIiefcNiT4k17Dw4srW1OkC3uhSCc7BV1dZA/HJw5gd34pFTeCnJnqY34OmE7sux8mhBjaIXSJMXD81272ngrmGwu6++6DkdLgIx2y3uE6IcUFDQmOgU6T9I0ulogZGGZa1PI3VjBjF4TK27EwzrkR0iKi8Ctn8z/HMXnskviCaui6RlxEzWqOytSfe4m0XHpNN2gHVhKbZwJUr5IwKASOWiXgsOVpkTn8K6PDN22X2rCUigjRsE4/45qhd6BFCa/pXMgCHljHKi5qp13yor91rO9n6NjbO2bP28cexUmUwf03lClGQ2og8q05WWiqHHvLlpHxmy8fZwzniJC3tr6htyPYhGpzo20BMOz/x66tA/+JTC8CFFilvf3PP97KwfqpVNqtnyHVui7QR39E6QvoyNzw+7AxpHCSYx6F9tyWu96pBeSbCrMzXaSV0k=",
"Anti": "false",
"Pastebin": "null",
"BDOS": "false",
"Hwid": "null",
"Delay": "3",
"Group": "Default"
}
},
{
"file_path": "dangerzone/83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce",
"sha256": "83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce",
"yara_possible_family": "quasarrat",
"key": "ff230bfb57fecad4bd59d4d97f6883b4",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"梽畨芾⇼범䨖ꔭ⧭ㅙ⢄熼ꟿ⼳᷍砫ᡸꟿᄐഹ": "1.3.0.0",
"ꥄ챥蝝࿙ዷ䑌⭞⿑㦝䜒䖘苘ꃧ읲㚥ᡄ媬": "qztadmin.duckdns.org:9782;",
"蚹嘪ꜟ쀣쓡爲劄㷟耑츋϶�ὂ䲬㺲釺罱恫ῗ": 3000,
"姰쭕锓
滧ꥀ栞丫갣橶譌窴ꄩ邪᷺": "1WvgEMPjdwfqIMeM9MclyQ==",
"αХɇらꁶꄕ搩〆ᮍ뽭⩖覮ϕ鷫Ꝧ겈屄롚쐢": "NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==",
"맻胼䇸ﳊ㒡蠯칣ᰶ⇷敉謵완瀫ᣣ究హ": "APPLICATIONDATA",
"딕漩럙褹퍵ᮐ螉뗏흛ᅩ駔졾楝팵᳦ꔍ퓩": "SubDir",
"楤쿄ㄕݮ㦲/ⳡÀ阙楞媾⯥舶㚽侕넉䜠൱胍": "Client.exe",
"ꦶ◊ꇔ㺺⫺黆⋚㩼졮瑭篛싧礞ᛂ卵᠃": false,
"雒ﵚ푨繏�剷ᬬ�귯죥羢ꊇ鄬譆屿靘绠": false,
"뷉ᬚ杤羾姣籼䏤卢꺢鼕�좖Ⲭ때믩ꯪ캖": "QSR_MUTEX_YMblzlA3rm38L7nnxQ",
"攀㿘왂㩋䓿䕔�د州쯲ꀈ级䀇�ﴍ哚Ɪ幒": "Quasar Client Startup",
"䞑隌ᇅ欉ᅈ킅杖蝬䞂鼿⡮뀾鉛췡罡衅쑈": false,
"鶹鱶ꏭ¥쒥녠⪚㐢ꔶ�㗬쁫ﹰ깧냁鮘ఋ鄳": true,
"녝맯넰鸸莨둑⤘㔒荲뽓⢕⢏幧皂ᯝ䩴鵔邫꾈": "mDf8ODHd9XwqMsIxpY8F",
"�荣ڲ蚘騌殼㫔រ볡༭误펮頠䬡�硲욣": "Office04",
"Ꮞ㮇泄쮬櫌⦤퀼뜸姭퀏锖鐓躲罸멇〃": "Logs",
"ߢ訴ﻘ篋껫슴㹞ᢡ尖Ť岺ፇ庵�獍ᇔ哜ﺲ暽": true,
"祹륰㫬�伫蔩⍭䧇芕㵼鈍䰸з䘶蟨庛쵃턐": false
}
},
{
"file_path": "dangerzone/9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4",
"sha256": "9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4",
"yara_possible_family": "venomrat",
"key": "86cfd98ca989924e7a9439902dc6a72e315da09c11b100c39cd59b9c9372b192",
"salt": "56656e6f6d524154427956656e6f6d",
"config": {
"Ports": [
"4449"
],
"Hosts": [
"127.0.0.1"
],
"Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3",
"In_stall": "false",
"Install_Folder": "%AppData%",
"Install_File": "speedy",
"Key": "TzY1S0thald3UGNURmJTYjNSQVdBYlBQR2tTdUFaTTg=",
"Mutex": "ypxcfziuep",
"Certifi_cate": "MIICNjCCAZ+gAwIBAgIVALWZXeRliC16frxuoSrGsVJO4U2tMA0GCSqGSIb3DQEBDQUAMGcxFTATBgNVBAMMDHNwZWVkeSBkcmVhbTETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDYyNjEzNDc0OFoXDTM0MDQwNDEzNDc0OFowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2DCquy6CwL8H/T1Wi72pbKLyGQdoXBDSKpGyIfLgX5091jBQYbvFbROqt6FjbN52GSpnmd4N8TnQE6KGqTmmSmaf/nxMSNcV1sjhxm7NTfnP9vo/vnZngCmzVr91S9REqlKCiotdkIYWqbdwkmYTuqSdHaicP7Tf0H8oOYZIc5AgMBAAGjMjAwMB0GA1UdDgQWBBS/OFCWU/dcBWOe+i6ERcFdHDOwITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIT79sUZm5Je3T7yc9GS+pgzsgtf8OXakm0DrY41uytJgXzgi2E/bWIBja4DyuAddL0ziDCamqDQuFA1MhFNki/X0uKgu1ArxZeXlwKqpDv7ihWRqWrE3rHYha0ALSP8DN0Asmpc4FGnrfhoeoLYXRo8EqH+6ctIkggM8OiBYSTm",
"Server_signa_ture": "Sn1WeJuN+Ypb6kUw4QirT1RzbwUEoeSYTmJAIlg0LayMd/VSwAo+0LnnT/g5HFx4QrqaM689CvKqUNfotQb9cPj05dfgrV3SplVDt5twnK6f8nnScqI8trTCmprH1gnOcoKcY8039kFo9dEj+eOiaBF451W181I5fPJd4Uug1bY=",
"Paste_bin": "null",
"BS_OD": "false",
"Hw_id": "null",
"De_lay": "1",
"Group": "Default",
"Anti_Process": "false",
"An_ti": "true"
}
},
{
"file_path": "dangerzone/a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e",
"sha256": "a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e",
"yara_possible_family": "quasarrat",
"key": "None",
"salt": "None",
"config": {
"Version": "1.0.00.r3",
"RECONNECTDELAY": 5000,
"PASSWORD": "5EPmsqV4iTCGjx9aY3yYpBWD0IgEJpHNEP75pks",
"SPECIALFOLDER": "APPLICATIONDATA",
"SUBFOLDER": "SUB",
"INSTALLNAME": "INSTALL",
"INSTALL": false,
"STARTUP": true,
"Mutex": "e4d6a6ec-320d-48ee-b6b2-fa24f03760d4",
"STARTUPKEY": "STARTUP",
"HIDEFILE": true,
"ENABLELOGGER": true,
"Key": "O2CCRlKB5V3AWlrHVKWMrr1GvKqVxXWdcx0l0s6L8fB2mavMqr",
"Group": "RELEASE",
"hardcoded_hosts": [
"kilofrngcida.xyz:443",
"sartelloil.lat:443",
"fostlivedol.xyz:443",
"comerciodepeixekino.org:443",
"cartlinkfoltrem.xyz:443",
"trucks-transport.xyz:443"
]
}
},
{
"file_path": "dangerzone/a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b",
"sha256": "a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b",
"yara_possible_family": "quasarrat",
"key": "b30cea630f7fac6c2e066ce7f29e1b4bab548ee95b20ff6aa7387ce14df5dc30",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"寘褂䪳ꗉ銗�Ꝉ镋堁쳚燱猔畏‶픘㓄": "1.4.1",
"뵴ꊲ袹裸栊渜鱗�缝糖궝镀ƙ衹摂䴧슖": "10.0.0.61:4782;24.67.68.3:4782;",
"꼲僭퍟脖ꄀ憪䑪띊�ဩ螥鰲樭搼┵�": 3000,
"轢䨉攀轣ꄨ훨觅뱛㇍昺灊䔱䩦菼䪖〪븱뺽᧨˸": "APPLICATIONDATA",
"߯빅咨蝍철礍庌縴猏脋刏纋蜘᪱䏬렝": "SubDir",
"᭓ⶶ穱ᗾ嶻푞셣쏵爒얢쳱䖨䒉鄛": "GloomTool.exe",
"ʹ씓鉀ᵝ덾稠緘ᜉ棴桛ਃꢒཡ卫͔뻇㯨悕": true,
"컸�퍲愛欷口쏘푂샊ʿᑷ苽⑉젫珝㆜䨼ᵆ辘": true,
"嘂ᢾ٪ᅥᅭ筱凶옿嶻ﭡ࡛୭ងⒷ娩抢落": "9fdd3e80-d560-431b-b526-3ebbc1799110",
"鿴�蚿ㅃ쟄ᾚ넕蛟须ꁅ㊇摯킋拞뻧≰Ḻ럌耇": "WindowsAV",
"뛊㕦䆝ᝢ啍⦙♉曗긿ꆨ嵈�ࡡᎆ淯枍岽귌": true,
"汄똉检풛鸨远⡮뒳屮䪹ᄁ筎ڹਧ軘癝렗䠉澬": true,
"ꭂ㣠췼ਠ韷ᔅ놷崘姃㛱꜊躅풉ꎐ⌽㱶⥴": "5F91B88C67A9ACF78B2396771B3B6F2B4615CA57",
"숸윓㎊淘ꥑሺ࣓䷢㓦排溳昀讓퇾䯪훲�࿅": "Office04",
"맖⟑ᗽ敥悼�끻둅薿䴒⎯�坦챹탏琅㟘乄": "Logs",
"⣿嶤먂㍨̑패熟塾䂭᪾�벃i�ᒉ菜ࢧ": "KQrwmpZSwOF20ZdNZlVJ7YjgErzUf9cophPOCAULRI4gSid7qeSaRL4LhhUXzEq1JuUlkRR7WTjztBsmwCRqORdxEBFwd1fMTsYFf4COj4yN1sbvc5Yb1qvk6IELnzse14eXVS+y1AbwCOGBEa1P6H2C2X2xH6jZRBMPaFsohcV0z20ZzWpdJw+aQZ/SSbMvE1YFN5o37y3MzAW/nErdZyxLA7t9eTsca+RLT8uHgqU0iEd4Mz1iHUWA2gYY+uPzV1I3oU8LHrWhXnXRhutbShZ80KbE+tfr7XLAIwwol00moTd7GaL4vd/ZeOa3z3nmVO2GxIRMWCmiX52l5MutcuR/nAAR1k+W2ScaAoxXzpb6pwOwccooFty0lpRoO6RMT+g1ux+jwKn4RpH1baEAmA6cu8W2l1mr8dwZ3ra094dUKEdITKRKEviworYIRWDS9w2618tVfRhccHNsbIIp5qZMumne0OVE+FK6rjPZM/Q4OR7++1AQUNiavCOsY6/sbxdb+K43x2PrxzJAPoU33qF2fzXaSIEgbmlqkZFdFOhSVHay5F4lmuvHUGRXmhs37quo874DaCA5phI3aCP8VXIFkHyjOJelIR9wlfsdNY5yOoA2POnFt1Y24YzoPZt3Mc/Nqv74z/cE3LXrJHsgivyZV25nqpiCHL704AfoRpo=",
"䤈醈慆싔䚾樎搅쳶稶셜嶺ᤧ朏ᅾ㸑㼿홤囸": "MIIE9DCCAtygAwIBAgIQAIhqXB+nLwd+VvEk3rjLsTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQwNTIyNDkxN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArk3R4LAyzBp+YXIUqxBNyT/R94en+jU7NTtJGsCG7I6Tp2ZV6mdTOynApeBLs6RvgIpzxPIbjA7HMoQqRxBDKREcRZJCnK3NdMl+8ZMKU4OLBWINwW4fvZRu2spC79MYiIsKOXRDsfCelPs1llHTbD4b4c+PzbpcGA5gI+luZ6+OKajkGbAKdppse5EdPh+KrE6r74nAJiK9PdvfF1H7XwOVpFChxcYZJmZTG8hfrSFQ/0mSi0CobU71vj8fVkhX0EOVSv/KoilBScsXRYbvNY/uEzS+9f0xsYK5AgJQcUYWLthqKSZbo3T1WecBHKynExf8LbFpC42ACyPbZXtAYt1lyBXyLW8TZS65yquhcVio/ZgAG05WGn+TeA6M+CxNkEZNvgd5PDuBkF6X13w3OXGFOL7i4KBJifSMRyJaqp9i6ksAY8epDRHP1WOXDxnQ8ak+4jyPC6WSZFnGV3DT7lZahvkIaNR8OPR8suOoUWk8Jl9Fxx+DBa6RK3Ht96YkPAf8rY84Hjjp4xp1OF6q88W1YaYo9NtPK+5fkf2pFqa+RC7v3RKgsis3/1xYeBZ8expiCdm5hKTRx0tAkG5bLzC6/Em8cHqCR6lmbPuHgA4ijByU6fLD1JdmwqAcjpy9OIdB8L+G7X8kAu5+WUe5BMiIE6EYvJi3Rpg2fz5Nt9UCAwEAAaMyMDAwHQYDVR0OBBYEFI40k9gCti/BlRy3dUVqsbe3OhMxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAAXYckulFdYnmtdh24egkttF9h/0AD87o9kAnRwJVu3nu12R+FwJgaihvAQZiKQ4kgTkP//ag9E60xwyzEcj00/yZGzjMAAXONZoEyeCxEF5cMjbtmqLWsFkRaHEpWtcczJ2BChEnFDgoGF2I6TOlr7OGoJnzHmz43bY9dkpDJ+tqIZu5AwoMG4WMoNe+by66G2S1AjyVVimIJA7at12EMIUizO0Qov+iBFHSDiVwOZlUxhfu9TNKwIgQdSLHnTaBg03VFHpLZ63Qtmr12LwTEOUyVSnJXEsgZISQ0abMCaped6jwpR7+VlpU4SGfyBU8caFphJafdgVzhmztrTpYMUJE44d50+5ue9us2H2IH+26/+yBbQdffzp1LAFfYgjOE7k8EFjU3ayPaTN7ORtjCyNzhYRvjUCuopb0rWhJsQQRQJzkblrYJ/ocSfNGUQOoJpykyD1QiGboE11xIPheLYetZrRtkmNtFuVeKg9z7AB1ahxEcNGT/MW/wkxUe500cBLVTFeZtsMl7WYB6iUSxboQ8zZ8eWCDS2hYOxKfxfr54p4AW24Y267djKnAfpnMIsgJzjcDxvGGMBlwcrxb0vM0w+9K2R+M17r4bldxnStJj2Wtgal1TBVP1XexZgarfXw3HstKjhbFH6cb4g7ZW4wdCYE5XA6qZL00XpuSy4t",
"撂嗌ఀ渌냋✹엳!�暐쀗삚瘣괫ꝥൡ珁䭦䎍": true,
"ꬪḜ錌⧥琰锜艑닅썳宓幂죺䦛�ឆ輶跂椦": true,
"뉻퉰�㕞ᘢ甙鶖獤짐῞助멁ḱ挒豷⫟ᚊ룪慁樟": "",
"䱲讀��ꞇ䥕鬛�行ﳄ坄딧頜쬥禸竚⏺": "",
"剔壴昚켜꜁⽳彲懔嶥顣硝芹憖麖满境": true
}
},
{
"file_path": "dangerzone/b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e.exe",
"sha256": "b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e",
"yara_possible_family": "xworm",
"key": "c527ac2a4eeb6039d9477583d0f4f2c527ac2a4eeb6039d9477583d0f4f2ee00",
"salt": "None",
"config": {
"Hosts": [
"act-cleaning.gl.at.ply.gg"
],
"Ports": [
"37158"
],
"KEY": "<123456789>",
"SPL": "<Xwormmm>",
"Sleep": 3,
"Group": "NeverLoseCrack",
"USBNM": "USB.exe",
"InstallDir": "%ProgramData%",
"InstallStr": "svchost.exe",
"Mutex": "OkWVOTioL6k3Fg3w",
"LoggerPath": "\\Log.tmp"
}
},
{
"file_path": "dangerzone/beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5.exe",
"sha256": "beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5",
"yara_possible_family": "quasarrat",
"key": "b5580a84ddadcf548713dd64fedbbe067f931e6ce4699271de572acbd52f4074",
"salt": "bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941",
"config": {
"伔雂婀瀿ਟ昄뒢셟�혞㯫僝큧絜錀䋽쪖": "1.4.1",
"�냖胃櫐턌㙥珃⬆郘⫝̸ᔔ겿㓣玌䠾镲": "91.92.241.122:6969;",
"䮱⛴�ꓞ獐㲚앮컨ᶉ綟㝬㙚ල፞屷烅": 3000,
"숀덆衏ꪑꉴ闦ж윰쬁誁㑇�푈ꊦⵙ鼭�퍽닢": "APPLICATIONDATA",
"ꀥ튪﴿퓪僗䵊㹂溳ၺ렦�坧⬖ﯓ�驨㼂㏜좟": "",
"ʼយ쬀믍��᱆贘好颗賫柊┩钵ʌ멃B螑䭏": "Client.exe",
"ꧭꇶ魶䣈ኜ瘷笵ۯ畉錡읐ᛛ箶웤㑍髌�옍": true,
"斐⛊䒿鵂ʁ㫔헊遁骗ꊵ㣉ᚏ㳱鰸䵙깿㒬": true,
"簔쌑饶曰姞耣㎹䥶鯹ꏃ揼ꖐិ싟캥伽": "fcf2be0a-a426-40c6-b153-1a354814f80d",
"䃦瑸䱌籾쮇ઈ帝蝃黱䥤긂�듗ሽ엮�ྋ螑�": "Quasar Client Startup",
"鵶ᳵ䰑訵ᶻ㋪据⽇ደⅡ䒯ઓ夹ዞᛀ뾱᷵鎘뜯": false,
"㙲輁絫䲖䲎崛婘㨁웳䓪視䈜豇ቊ竭䗹菈鍵": true,
"㘎▒鏢㣗륾者梓勄鋭Ị秩䴰䯾獵㰀ඇ蠔": "26A6C07FE7354BCD244B108D2E3538DCF04477F5",
"凷킃瓸䲖ꩾꋷ烿筸駸쉗흋㧃ۛ䃵澶浟뷬䢑": "Fab",
"ཆ빉뤺뤨刄ꕓ坨迄湎鯙⫵ﰿ䆌᱄㿐έ⋆㕈嗎": "Logs",
"ᚒ宋㽾亞꿷牣㴳덯蟭빉恷뼞櫻빜ꖯ�꒳ꖗힻ": "U/jVlmjpH/9zMrLFla8LcLavxUQe9wt9L6qGAh9zYqPdqDW0e0fRlnxEST/s3HTVlAyuqIyn5yKrWKaXCMUHKcjpAWVQ9jPLAteKNgIRz5Soa8qxWgD215NTswSL/tYwdPW2svV9y6ELPKScSacDyZlBp47bv299XhxjeUkAXIli59EHnHxAIlOS/Ag51onRTlEkGYIVQO1IJjGoGQe8pND5JwWOVi072s67A16SNYJmPrCNqDjCMVjYDRwLqusbuDPF2K0wIVLn4RzLr+F1O5e5Rh8GFIj/7qa8gOy2kjAbczo3AAKZG3sghrut27P2ldxGcWpsms5w97k7WJ91goBms0n/hV29sRDiYG51xey3KqcTp2UspvLUzNJek21CZk+EgCQ3Q7+aZxdLAIEfwAo0cq7lJkq3iEZuZ+86sts1D3YToM9+mRtIDAeb/op2oxvWbJOqeA9YME2A7PWDVI6bH9kcru5UolqfxPRIH7Aa8BVzAbctghbaVZCiwkI0lxc9hijCLZugOnKXtFU3A+hPVyc/aDqZcWPDu7u9jWbrWIk6JqLGbnJYiU6a4p7IwdGnVwkA49aD4ZnKqWo8tSKLCd+dvP4nx+pqYWiUpf+rdy/xH1MBbPj/lPlphmrFFHijlBufVoSLa88/rBv+Fb9ox2Ei2t5RJYTLDEoP0oY=",
"䨧猣∣୦�稜⚉柨暁즛쿾坯똃톺ﻬႄ": "MIIE9DCCAtygAwIBAgIQAJMC1KOnf3PAJ47sO2MclTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgwMjE5MzAwMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAk9yV4zXwIw2x7ZZyu2WnaWGwrq2laEP44y9HMM/PYRQCmkMr/L4bqPIgee+trkTOK2T/yd37YISYQSsfQXONYG5JZy1DsZgWAy177xEUoLNAv/TmWrovdVhFSIN0FtQo4ED1AMSOeRWPYw3fdFplPo25TqiZnJuC76fu04Sfl5/B5RqZUy3FKkVlZRL/99zAKjQvFIFvX/riz7pwYPoKSNzRB+SPebLJgYlG7qaxb11C/oiJu1AuEcrmjjr8Ph/nYAqY4EzsjWw6mBUEKTAdCptz78Xpj2qZ/DO//6rDIkw2HWyvvJ4qC2jhv4d2LL/LVSof2SDkMY2NRweMtwnmI8mYIf6mF6pOuH7l6IONc+W2LahqbDImjijmYOJnED/4mV3QRvXHZlwwn/qwf4Fc98VdNayqw1SdKyWqSEIFaa8ZtbSvGj1RQWwzJXQ0sr7EVcv26GUorfX4y5wXhVu5DQfAIZkhZoGSOUPVh0E/NnSqFA10M7TcTz0+fwxLjZ93vi0D0dBcyWvMwTUjy1FHZMu7ZXPsrGbDMmhwmNSsqCqV3SGLZEwaSI2Wtzi1SgElz9+GSh3twxi6O+kaOtP8vu6jbzYi8QSLbn+APkX4XXetIms76fRT6c0yjgnr8NNhdATN3NIAy2AIBfRB9+WkmEEzWf35oLIb0WaNIXtRS5MCAwEAAaMyMDAwHQYDVR0OBBYEFJnfWehSzSmr6K0SenBX6AyNEZUqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEsJnW/h1UmS2DsvTd6vhMwSVZjtK5PKYx8HRL1KPrhDa4WVdYvXu9DaO0BHs5dad+EMTuhWirWXv1oG4TUBVwwZ9ka95ooIZhrZdjLe1sXHeRTubU9yO5bl/6fhHUvPcDsktCgBxboI40t6YcJk+wtIdobhhO0dIHK7OAkJMXQMv7bWX6xy2HwPk0tzkHSskWe160kUiNdxZomd6VSL5FnJ9aB6erznl1WABJNRNwIksM1xlrgyCFAMRvJwpJi823H/ApWwAosQo9qstOo2e+OMrCAzexGJL93JANAXAf7xa5TXzcTPd+n9QhYSDWW7EqDim8vguQzHkHkDNRMP0poqTHFYovcupr2zBjkhPC6sP/f0Rq/aQ6Dyqqoj0cW/nH2wl4eFXvQnSHTbbVIo2qzb+Ud1qFhXxkGzuP//V/wBgEAhLcFraqgQ/b4kX0hkhV0yYaTWpqVemg4Aki7RYz9nGIRMcdr+APFeXo49FHjerk0lqszbKd6IJn3CR9U+ZLpzp3M9NLdeTPpjGal8IgMjuO6MXmt/ybz1fAfM0shKsq4+3nUI0TMGBgYhrPdS5VoA29Xg84hAVj7wewNZKJ43d/poHQnrjWkuN/Ii66IaKVyKofoMiHyfHIy0ee456vDYvxbPv+k9euEhv4OiK8dTWwvDr2XlJZWfq+pukDEk",
"嵥帐迉ⷹ윱ㅥ䢕⎥┷ꀵ쨊ꁌ샖쮟铒﷼㥺쿡茦": false,
"ா巪騸䑥髲鷞뚒猌鉦扆켡⊸꜉༾⚾龔薮": false,
"ﺖĊꠣ㬿蔭䮕労酠⏻ꜜ簄ꙡ蚼좦⏺脬럌팩㿑": "",
"㝉늣漊ꩁᤌ몤뒦짚햻ꙝ꯸㫒뉂摝㘢롷㠨ᗪ": "",
"ቼಎ绒乫�患㷕㿧㬣翔ḳ⛫ﱑ氖ᔖ졞薿ᐛꨛ醅": true
}
},
{
"file_path": "dangerzone/d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e",
"sha256": "d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e",
"yara_possible_family": "xenorat",
"key": "650f47cdd14eaef8c529f2a03fa7744c",
"salt": "None",
"config": {
"Hosts": [
"77.221.152.198"
],
"Ports": 4444,
"Key": "03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4",
"delay": 5000,
"mutex_string": "Xeno_rat_nd89dsedwqdswdqwdwqdqwdqwdwqdwqdqwdqwdwqdwqd12d",
"DoStartup": 2222,
"Install_path": "appdata",
"startup_name": "nothingset"
}
},
{
"file_path": "dangerzone/db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa",
"sha256": "db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa",
"yara_possible_family": "venomrat",
"key": "11ed70df5ce22de750c6e7496fa5c51985c321d2d9dd463979337af003644f41",
"salt": "56656e6f6d524154427956656e6f6d",
"config": {
"Ports": [
"4449",
"7772"
],
"Hosts": [
"127.0.0.1"
],
"Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3",
"In_stall": "false",
"Install_Folder": "%AppData%",
"Install_File": "",
"Key": "M1NoWkREazBvNTNGUkRlT0s4TjE1QlRRQmx4bW1zd2U=",
"Mutex": "qmhvogiycvwh",
"Certifi_cate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz",
"Server_signa_ture": "BW9mNNWdLZ+UgmfSTOot753DE24GfE+H6HYG5yl4IFszdMLpfQXijxVlt3bcz68PrHwYG2R70J+h9EVUXPjNw2GgCH5I8BvOw6Luh09VjE3YrfERSa2NKJ7baO9U9NDhM4HaSUCUvXGbR6J0itLe+2YthV7GXSCEbbmfZI9UYKU=",
"Paste_bin": "null",
"BS_OD": "false",
"Hw_id": "null",
"De_lay": "1",
"Group": "Default",
"Anti_Process": "false",
"An_ti": "false"
}
},
{
"file_path": "dangerzone/fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d",
"sha256": "fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d",
"yara_possible_family": "xworm",
"key": "e5f7efe2fddd6755c92cbc39d5559ce5f7efe2fddd6755c92cbc39d5559c4000",
"salt": "None",
"config": {
"aumDBZNDJ7f2": "mo1010.duckdns.org",
"gnnrkMjhrGnD": "7000",
"xeGVxN2u4Sp3": "<123456789>",
"upgseICLHsZe": "<Xwormmm>",
"jF5pyMR4K1B8": 3,
"VpYiyt9aVUsv": "USB.exe",
"z7mwUS4LmaFC": "%AppData%",
"Fjg9TdM4RTsH": "tBZ7NDtphvUCm0Dc",
"5BPKEMIKpcCV": "\\Log.tmp"
}
},
{
"file_path": "dangerzone/vstdlib_s64",
"sha256": "6e5671dec52db7f64557ba8ef70caf53cf0c782795236b03655623640f9e6a83",
"yara_possible_family": "quasarrat",
"key": "526f35346a62726168486530765a6266487a7039685575526637684a737575794b4c7933654e5a3465644c415a71455861676b3078357767563277364d544b5339367279367959664d6a66456f35653934784e396c684e346b514c4e7479317442704974",
"salt": "None",
"config": {
"Version": "1.0.00.r6",
"RECONNECTDELAY": 5000,
"PASSWORD": "5EPmsqV4iTCGjx9aY3yYpBWD0IgEJpHNEP75pks",
"SPECIALFOLDER": "APPLICATIONDATA",
"SUBFOLDER": "SUB",
"INSTALLNAME": "INSTALL",
"INSTALL": false,
"STARTUP": true,
"Mutex": "e4d6a6ec-320d-48ee-b6b2-fa24f03760d4",
"STARTUPKEY": "STARTUP",
"HIDEFILE": true,
"ENABLELOGGER": true,
"Key": "O2CCRlKB5V3AWlrHVKWMrr1GvKqVxXWdcx0l0s6L8fB2mavMqr",
"Group": "RELEASE",
"xor_decoded_strings": [
"BPN - Nuestro Banco",
"Red Link - bpn",
"HB Judiciales BPN",
"Ingresá a tu cuenta",
"Online Banking Web",
"Banca Empresa 3.0",
"Banco Ciudad",
"Banco Ciudad | Autogestión",
"Banca Empresa 3.0",
"Banco Comafi - Online Banking",
"Banco Comafi - eBanking Empresas",
"Online Banking Santander | Inicio de Sesión",
"Online Banking Empresas",
"Online Banking",
"Office Banking",
"HSBC Argentina",
"HSBC Argentina | Bienvenido",
"accessbanking.com.ar/RetailHomeBankingWeb/init.do?a=b",
"ICBC Access Banking | Home Banking",
"Banco Patagonia",
"ebankpersonas.bancopatagonia.com.ar/eBanking/usuarios/login.htm",
"Página del Banco de la Provincia de Buenos Aires",
"Red Link",
"bind - finanzas felices :)",
"BindID Ingreso",
"BBVA Net Cash | Empresas | BBVA Argentina",
"Bienvenido a nuestra Banca Online | BBVA Argentina",
"Ingresá tu e-mail, teléfono o usuario de Mercado Pago",
"Mercado Pago | De ahora en adelante, hacés más con tu dinero.",
"Mercado Pago",
"Home Banking",
"Office Banking",
"Banco Santa Cruz Gobierno - Una propuesta para cada Comuna o Municipio | Banco Santa Cruz",
"Home banking",
"Office Banking",
"Banco de Santa Cruz",
"Red Link",
"Banco de la Nación Argentina",
"Red Link - BANCO DE LA NACION ARGENTINA",
"Red Link",
"Macro | Agenda powered by Whyline",
"Banco Macro | Banca Internet Personas",
"Banco Macro | NUEVA Banca Internet Empresas",
"https://argentina-e4162-default-rtdb.firebaseio.com/user.json",
"C:\\\\Users\\\\",
"\\\\AppData\\\\Local\\\\Aplicativo Itau",
"C:\\\\Program Files\\\\Topaz OFD\\\\Warsaw",
"C:\\\\ProgramData\\\\scpbrad",
"C:\\\\ProgramData\\\\Trusteer",
"dd.MM.yyyy HH:mm:ss",
"application/json",
"Sistema no disponible, intente nuevamente más tarde.",
"SENHA DE 6 BPN",
"SENHA DE 6 NB",
"SENHA DE 6 CIUDAD",
"SENHA DE 6 COMAFI",
"SENHA DE 6 GALACIA",
"SENHA DE 6 HSBC",
"SENHA DE 6 ICBC",
"SENHA DE 6 PATAGONIA",
"SENHA DE 6 PROVINCIA",
"SENHA DE 6 SANTANDER",
"SENHA DE 6 BIND",
"SENHA DE 6 BBVA",
"driftcar.giize.com:443",
"adreniz.kozow.com:443"
]
}
}
]
```
## Feedback, Issues, and Additions
If you have suggestions for improvement, bugs, feedback, or additional RAT families that use a similar configuration format as AsyncRAT, QuasarRAT, VenomRAT, DcRAT, etc. that are not yet supported, please send me a message on [Mastodon](https://infosec.exchange/@jeFF0Falltrades), [YouTube](https://www.youtube.com/c/jeff0falltrades), or submit an Issue or PR in this repo.
Also, if this tool or video tutorial was helpful to you, that's always nice to hear as well!
Thank you!
## Contributions & Attribution
Huge thanks to the following contributors for their outstanding work:
- [doomedraven](https://github.com/doomedraven): For your help in integrating RKP into CAPEv2, as well as your continued contributions to the project as a coauthor
- [cccs-rs](https://github.com/cccs-rs): For your help in integrating RKP into AssemblyLine, as well as helping me wrap it to work with MACO
The logo for this project contains modifications of the following images:
- Ouroboros (modified) - Image by Freepik - https://www.freepik.com/free-vector/ouroboros-symbol-illustration_37368320.htm
- Rat King Illustration (modified) - User:Di (they-them), CC BY 4.0 <https://creativecommons.org/licenses/by/4.0>, via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Rat_King_Illustration.svg
Raw data
{
"_id": null,
"home_page": null,
"name": "rat-king-parser",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": "jeFF0Falltrades <8444166+jeFF0Falltrades@users.noreply.github.com>",
"keywords": "asyncrat, dcrat, malware, parser, quasarrat, venomrat, xenorat, xworm",
"author": null,
"author_email": "jeFF0Falltrades <8444166+jeFF0Falltrades@users.noreply.github.com>",
"download_url": "https://files.pythonhosted.org/packages/ac/c3/478e874e3faf1d2a8e174a217b14ec16f04fa260534e2b1ff3aef60a378f/rat_king_parser-4.0.1.tar.gz",
"platform": null,
"description": "\n\n# The RAT King Parser\n\nA robust, multiprocessing-capable, multi-family RAT config parser/extractor, tested for use with:\n\n- AsyncRAT\n- DcRAT \n- VenomRAT\n- QuasarRAT\n- XWorm\n- XenoRat\n- Other cloned/derivative RAT families of the above\n\nThis configuration parser seeks to be \"robust\" in that it does not require the user to know anything about the strain or configuration of the RAT ahead of time: \n\nIt looks for common configuration patterns present in the above-mentioned RAT families (as well as several clones and derivatives), parses and decrypts the configuration section, using brute-force if simpler patterns are not found, and uses YARA to suggest a possible family for the payload.\n\nThe original (much less robust) version of this parser is detailed in the accompanying YouTube code overview video here:\n\n- https://www.youtube.com/watch?v=yoz44QKe_2o\n\nand based on the original AsyncRAT config parser and tutorial here:\n\n- https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser\n\n## Usage\n\n### Installation\n\nAs of `v3.1.2`, the RAT King Parser is now available on PyPI and can be installed via `pip`:\n\n```bash\npip install rat-king-parser\n```\n\nNote that YARA must be [installed separately](https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara).\n\n### Usage Help\n\n```\n$ rat-king-parser -h\nusage: rat-king-parser [-h] [-v] [-d] [-n] [-r] [-y YARA] file_paths [file_paths ...]\n\npositional arguments:\n file_paths One or more RAT payload file paths\n\noptions:\n -h, --help show this help message and exit\n -v, --version show program's version number and exit\n -d, --debug Enable debug logging\n -n, --normalize Attempt to translate common variations of config keys to normalized field names\n -r, --recompile Recompile the YARA rule file used for family detection prior to running the parser\n -y, --yara YARA Uses the *compiled* yara rule at this path to determine the potential family of each payload (uses a prepackaged rule at rules.yarc by default)\n```\n\n### Using YARA for Payload Identification\n\nA [YARA](https://yara.readthedocs.io/en/latest/) rule for RAT family identification is included with this script in `yara_utils` in both raw and compiled forms.\n\nHowever, using the `--yara` flag allows a user to specify their own custom YARA rule (in compiled form) to use for identification as well.\n\nIf you encounter errors using the included compiled YARA rule (which most often occur due to mismatched YARA versions), the included rule can be recompiled using your local YARA version by specifying the `--recompile` flag.\n\n`yara_utils/recompile.py`, which is the script invoked by the `--recompile` flag, can also be executed on its own to (re)compile any YARA rule:\n\n```\n$ python yara_utils/recompile.py -h\nusage: recompile.py [-h] [-i INPUT] [-o OUTPUT]\n\noptions:\n -h, --help show this help message and exit\n -i INPUT, --input INPUT\n YARA rule to compile\n -o OUTPUT, --output OUTPUT\n Compiled rule output path\n```\n\n```bash\npython recompile.py -i my_rule.yar -o my_rule.yarc\n```\n\n### External Integrations\nAs of `v3.1.0`, RAT King Parser has introduced additional, optional wrapper extractors for integration with some external services.\n\nThese currently include:\n\n- [MACO](https://github.com/CybercentreCanada/Maco): The Canadian Centre for Cyber Security's malware config extractor framework, which allows RAT King Parser to be integrated with MACO-compatible tools like [AssemblyLine](https://github.com/CybercentreCanada/assemblyline) (though RAT King Parser is already integrated in AssemblyLine's configuration extraction service without need for further configuration)\n\nIn order to utilize these extractors, the optional dependencies for a particular extractor must be installed.\n\nThis can be completed with `pip` by referencing the specific optional dependency group to install; For example:\n\n```bash\npip install \"rat_king_parser[maco] @ git+https://github.com/jeFF0Falltrades/rat_king_parser.git\"\n\n```\n\n## Example Input/Output\n\n```bash\n$ rat-king-parser -n dangerzone/* | jq\n```\n\n```json\n[\n {\n \"file_path\": \"dangerzone/034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e\",\n \"sha256\": \"034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e\",\n \"yara_possible_family\": \"dcrat\",\n \"key\": \"3915b12d862a41cce3da2e11ca8cefc26116d0741c23c0748618add80ee31a5c\",\n \"salt\": \"4463526174427971777164616e6368756e\",\n \"config\": {\n \"Ports\": [\n \"2525\"\n ],\n \"Hosts\": [\n \"20.200.63.2\"\n ],\n \"Version\": \" 1.0.7\",\n \"In_stall\": \"false\",\n \"Install_Folder\": \"%AppData%\",\n \"Install_File\": \"\",\n \"Key\": \"dU81ekM1S2pQYmVOWWhQcjV4WlJwcWRkSnVYR2tTQ0w=\",\n \"Mutex\": \"DcRatMutex_qwqdanchun\",\n \"Certifi_cate\": \"MIICMDCCAZmgAwIBAgIVANpXtGwt9qBbU/pdFz8d/Pt6kzb7MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDIxNzA5MjAzM1oXDTMxMTEyNzA5MjAzM1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKt8nE3x/0XYeyDBrDPxdpVH1EMWSVyndAkdVChKaWQFOAAs4r/UeTmw8POG3jUz/XczWBWJt9Vu4Vl0HJN3ZmRIMr75FDGyieel0Vb8sn0hZcABsNr8dbbzfi+eoocVAyZKd79S0mOUinl4PBhldyUJCvanCnguHux8c2F5vnQlAgMBAAGjMjAwMB0GA1UdDgQWBBRjACzYO/EcXaKzlTz8Oq34J5Zq8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACA8urqJU44+IpPcx9i0Q0Eu9+qWMPdZ09y+6YdumC6dun1OHn1I5F03YqYCfCdq0l3XpszJlYYzPnPB4ThOfiKUwJ1HJWS2lgWKfd+CdSWCch0c2dEE1Pao+xyNcNpuphBraHZYc4ojekgeQ8MSdHVo/YCYpmaJbxFWDhFgr3Lh\",\n \"Server_signa_ture\": \"c+KGE0Aw1XRgjGe2Kvay1H3VgUgqKRYGit46DnCR6eW/g+kO+H5oRsfBNkVizj0Q862zTXvLkWZ+ON84bmYhBy3o5YQOPaPyAIXha4ByY150rYRXKkzBR47RkTx616bLYUhqO+PqqNOii9THobbo3zAtwjxEoEWr8s0MLGm2AfE=\",\n \"Paste_bin\": \"null\",\n \"BS_OD\": \"false\",\n \"Hw_id\": \"null\",\n \"De_lay\": \"1\",\n \"Group\": \"16JUNIO-PJOAO\",\n \"Anti_Process\": \"false\",\n \"An_ti\": \"false\"\n }\n },\n {\n \"file_path\": \"dangerzone/0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4\",\n \"sha256\": \"0aa7bfb081e73a67c23715a55ff13a74ef6b1ce2b82a33b5537ee001592919a4\",\n \"yara_possible_family\": \"asyncrat\",\n \"key\": \"564eced38c73ee8089d8bcc951f28c0589a54388a4058b0da1d9c4d94514518f\",\n \"salt\": \"bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941\",\n \"config\": {\n \"TelegramToken\": \"7153134069:AAHd4riTPdhAdVGBwo16vJQ5H3eORu5QAEo\",\n \"TelegramChatID\": \"1863892139\",\n \"Ports\": [\n \"6606\",\n \"7707\",\n \"8808\"\n ],\n \"Hosts\": [\n \"127.0.0.1\"\n ],\n \"Version\": \"\",\n \"Install\": \"false\",\n \"InstallFolder\": \"%AppData%\",\n \"InstallFile\": \"\",\n \"Key\": \"Uk9tU0hKZUlVdXBwek1tV3NqYnBLYVRYcklWQXB5c0I=\",\n \"Mutex\": \"AsyncMutex_6SI8OkPnk\",\n \"Certificate\": \"MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=\",\n \"Serversignature\": \"b4TmzraaQMXPVpdfH6wgqDtnXhWP9SP6GdUMgvKSpjPlWufiGM88XWg3Wnv1bduWRMUOAIBN31gAe/SRIhAhdCJU0h6nvqjBUKQsnrg3kT6d2beUtwLDhWWqGa3i9Nta72fkbikM65DIkUwjGtnZy3THx83+doN/+cwe9ZlhKc7TqGF9klOT0nQ9JFUi3Gn6uDzwhA7vicj1WyfM15QxLp0ZvTojgjjFUC2BVkr+mDvuuQ4OR0h4qOgl/AXOYfZwKMfvnwijdP/qqpeG+X73rXZxeDawcTMYqvWH+hOiksgsh2C9V/iN8Sjye/A6rKewmHMUozpakMjP+TjES8kwT70+vJ/uS3ugCZUjT6sOqqLl+LyQyzSpGdVJJQB/fPrYTlWTJwpXdxk8V+eqcdCf/mpeYyQnyGaFVc2whfLAN0r2aPigRQNmsY7Faom/CeNc98zIBf9Nt+KR3FfyFuYabZn5zQcYNAq6D0MVRbKQsU3eyGWN+JI24PQUloheBFJvimpBqMMRVWDLsQq82TpExWJoT47fBrzZj/6LE10vKwl6TNiE81fkglcc93ErbH1KCdXxUaxKVePUIypEaohzXkv88h7P6gjhm2Crey8mUkir408At+5Xl8hQE1ozQN0e5le2gIdxX+oFkTFDrzd65MAdKiZ7rqauNMb4aM+bEeM=\",\n \"Anti\": \"false\",\n \"Pastebin\": \"null\",\n \"BDOS\": \"false\",\n \"Hwid\": \"null\",\n \"Delay\": \"3\",\n \"Group\": \"Default\"\n }\n },\n {\n \"file_path\": \"dangerzone/0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e\",\n \"sha256\": \"0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e\",\n \"yara_possible_family\": \"asyncrat\",\n \"key\": \"None\",\n \"salt\": \"bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941\",\n \"config\": {\n \"Ports\": [\n \"%Ports%\"\n ],\n \"Hosts\": [\n \"%Hosts%\"\n ],\n \"Version\": \"%Version%\",\n \"Install\": \"%Install%\",\n \"InstallFolder\": \"%Folder%\",\n \"InstallFile\": \"%File%\",\n \"Key\": \"%Key%\",\n \"Mutex\": \"%MTX%\",\n \"Certificate\": \"%Certificate%\",\n \"Serversignature\": \"%Serversignature%\",\n \"Anti\": \"%Anti%\",\n \"Pastebin\": \"%Pastebin%\",\n \"BDOS\": \"%BDOS%\",\n \"Hwid\": \"null\",\n \"Delay\": \"%Delay%\",\n \"Group\": \"%Group%\"\n }\n },\n {\n \"file_path\": \"dangerzone/6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412\",\n \"sha256\": \"6b99acfa5961591c39b3f889cf29970c1dd48ddb0e274f14317940cf279a4412\",\n \"yara_possible_family\": \"asyncrat\",\n \"key\": \"eebdb6b2b00c2501b7b246442a354c5c3d743346e4cc88896ce68485dd6bbb8f\",\n \"salt\": \"bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941\",\n \"config\": {\n \"Ports\": [\n \"2400\"\n ],\n \"Hosts\": [\n \"minecraftdayzserver.ddns.net\"\n ],\n \"Version\": \"0.5.8\",\n \"Install\": \"true\",\n \"InstallFolder\": \"%AppData%\",\n \"InstallFile\": \"WinRar.exe\",\n \"Key\": \"VUpkMU9UTEhRSEVSN2d2eWpLeDJud2Q0STFIcDRXS0U=\",\n \"Mutex\": \"LMAsmxp3mz2D\",\n \"Certificate\": \"MIIE4DCCAsigAwIBAgIQAM+WaL4OeJIj4I0Usukl1TANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTZXJ2ZXIwIBcNMjQwNDA0MTYzMzA2WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKhz3rO2b0ITSMGvwlS7uWZLVU7cuvYiIyB2WnGxe2SUlT5/pZrRxfX6CVL8t11S5CG3UFMdKDutLiA1amqLDbkqZAjG/g1J+7OPUOBrBWfzpEk/CFCFjmUTlMPwM00DtDp5Ju8ONc09JiaL9Ni3GeYsXza+HZB0WRrgpKnMNu+833ddBOaIgdvB4KicE/S8hSRq5kTNIhiNNZ0nrMFgzaQj0ijyXNTXN7nFCTqRSkWn/2pdveWZLqzTRZ5HsUkeXr2vhSdrrk7KOpHWjqNr2Nhl+bqsIRUhwnthLhj6N1Y94W25j3ATrLR6mjjZTGI2wRm95bMe/7V4DxqV30i6MVrwYMXKcaPO+NHoF9P1lErhCgttEGyWJz2dVJqVCXA+fE8hLyKSUeJSwaBJ36Of/OFGXXMXpUD7eFHNCN2yPVsW1ogS04/xkQUmbWbRjYx/l02+RK/kAK3YsZDuvcLsbKoDq7XJKoBVfvbv5W7jcmMvHHT54PNbmkAUasbtM/+/KhKQe1etOoYd+gOv7tgcNFRVH6N6eSuTxasCYjCr9tSLLmziNalWTknHgBtL/x49BJw6FWwrEE3wsl3C4ALfHQFbtI6sTLdCk7t/oNFUhpVE4kwql5xtOpYpkAj500jGfmVc9Wjy34tON2QLKnzAO87pt8XyANEFQdm3qUJX56KdAgMBAAGjMjAwMB0GA1UdDgQWBBRP67T1n4GPr5zJ0tsXMJ+gL7IawDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBMOPQsFZRxqhZZ344n0qBiatzq/jSmfMsMKWYMTiFHHccrgSc63C+nlVpTSCys2BZaMyocxeWKI+w7NklntQhp058+oN7PVC87xod6uZQyfYG1oCR58+Po4I3lWHVdOWQrkEKf4LTpCtyPXPTccZL3AjYcZWLOvP0gcjRsF2dSGnN1WdTPKHxj+OLSwSxlwTW4WN2wg++OV9cmT4wgaT2jPDqv3twxV+JVwEeXMM7XthJsG8ajToCS3Sf7pXnuOBIBoITQEbi7Iyqm/mJwFmAkcpEXb88rHZnKs+rRzjPRI/XsvlGVVuyiHtvPJL9X+R3VVltvrawBCbmN9K2W21E56Nryip0q4wdcF1jJUHXxAiQo/jcu8fO3RGfs9I6SN54PXSWABS7MvNJU8njC1N3J110cnjTgVMNrgRhBHe6r9CGnN4gm9oKvKL5+0/zZvhUPgYusOHIQmdOdfLo0r7tckUk2D18ufRILcaOqyaHLI7Mri1XEli8Brfjdtv/dlpssh/B2/o3bhBlRVD4oL+EX71Bm6cHEKoCLL6zGySSQosQyZpR2j4qVObb5fK1EnilJG4Qk6mNULZfWVPD9TLsJTHEioV8GibykF5O79kruha/pxFvVnoDJHbTPZEWfuR4cb6YIFbTg9pJrOhUsoyZg41leCrcqHR82XOVB755xfw==\",\n \"Serversignature\": \"PBjqcvsYypDmnjgUVv1SkvtLx+jFt2V7NyZ+nHik0CWcLbwOwBXD6/3an89d/I7pFAxwZXgSiLunc1yCOocUvymhbMwqT5t/yuj4GdW3a16vZSUuPbvGEOuB2oCgUNrsLWzqshnd1yaTIbNoENLJNS3phGLnQXijbrE2/mSEWbSjLcCWMC7Q52c54RCiBuKPQEhFR1KMUBtSeskObCEqOKY9tYsKKTDYDrQPp32Ho4qArPCDIiefcNiT4k17Dw4srW1OkC3uhSCc7BV1dZA/HJw5gd34pFTeCnJnqY34OmE7sux8mhBjaIXSJMXD81272ngrmGwu6++6DkdLgIx2y3uE6IcUFDQmOgU6T9I0ulogZGGZa1PI3VjBjF4TK27EwzrkR0iKi8Ctn8z/HMXnskviCaui6RlxEzWqOytSfe4m0XHpNN2gHVhKbZwJUr5IwKASOWiXgsOVpkTn8K6PDN22X2rCUigjRsE4/45qhd6BFCa/pXMgCHljHKi5qp13yor91rO9n6NjbO2bP28cexUmUwf03lClGQ2og8q05WWiqHHvLlpHxmy8fZwzniJC3tr6htyPYhGpzo20BMOz/x66tA/+JTC8CFFilvf3PP97KwfqpVNqtnyHVui7QR39E6QvoyNzw+7AxpHCSYx6F9tyWu96pBeSbCrMzXaSV0k=\",\n \"Anti\": \"false\",\n \"Pastebin\": \"null\",\n \"BDOS\": \"false\",\n \"Hwid\": \"null\",\n \"Delay\": \"3\",\n \"Group\": \"Default\"\n }\n },\n {\n \"file_path\": \"dangerzone/83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce\",\n \"sha256\": \"83892117f96867db66c1e6676822a4c0d6691cde60449ee47457f4cc31410fce\",\n \"yara_possible_family\": \"quasarrat\",\n \"key\": \"ff230bfb57fecad4bd59d4d97f6883b4\",\n \"salt\": \"bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941\",\n \"config\": {\n \"\u68bd\u7568\u82be\u21fc\ubc94\u4a16\ua52d\u29ed\u3159\u2884\u71bc\ua7ff\u2f33\u1dcd\u782b\u1878\ua7ff\uffbc\u0d39\ue507\": \"1.3.0.0\",\n \"\ua944\uee87\ucc65\u875d\u0fd9\u12f7\u444c\u2b5e\ue0e2\u2fd1\u399d\ueb76\u4712\u4598\u82d8\ua0e7\uc772\u36a5\u1844\u5aac\": \"qztadmin.duckdns.org:9782;\",\n \"\u86b9\u562a\ua71f\uc023\uc4e1\u7232\u5284\u3ddf\u8011\uce0b\u03f6\ufffd\u0ae5\u1f42\u4cac\u3eb2\u91fa\u7f71\u606b\u1fd7\": 3000,\n \"\u59f0\uebd3\ucb55\u9513\n\u6ee7\ua940\u681e\u4e2b\uac23\u6a76\u8b4c\u7ab4\u05ee\ua129\uf55c\uf000\u90aa\uf237\u1dfa\": \"1WvgEMPjdwfqIMeM9MclyQ==\",\n \"\u03b1\u0425\u0247\u3089\ua076\ua115\u6429\u3006\u1b8d\ubf6d\u2a56\u89ae\u03d5\u9deb\ua766\uac88\u5c44\ub85a\uecbf\uc422\": \"NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==\",\n \"\uf248\ub9fb\u80fc\u41f8\ue537\uef74\ue9e3\ufcca\u34a1\u882f\uce63\u1c36\u21f7\u6549\u8b35\uc644\u702b\u18e3\u7a76\u0c39\": \"APPLICATIONDATA\",\n \"\uf0ca\uec38\ub515\u6f29\ub7d9\u8939\ud375\u1b90\u8789\ub5cf\ud75b\u1169\u99d4\uc87e\u695d\ud335\uf8f4\u1ce6\ua50d\ud4e9\": \"SubDir\",\n \"\u6964\ucfc4\u3115\u076e\u39b2\uff0f\u2ce1\u00c0\u9619\ue20f\u695e\u5abe\u2be5\u8236\u36bd\u4f95\ub109\u4720\u0d71\u80cd\": \"Client.exe\",\n \"\ua9b6\u25ca\ua1d4\u3eba\uf365\u2afa\u9ec6\u22da\u3a7c\ufaef\uc86e\u746d\u7bdb\uc2e7\u791e\uf7cc\u16c2\uf1d7\u5375\u1803\": false,\n \"\u96d2\ufd5a\ud468\u7e4f\ufffd\u5277\u1b2c\u2d6a\ufffd\uadef\uec19\uc8e5\u7fa2\ua287\u912c\u8b46\ue05c\u5c7f\u9758\u7ee0\": false,\n \"\ubdc9\u0de2\uf126\u1b1a\u6764\u7fbe\u59e3\u7c7c\u43e4\u5362\uaea2\u9f15\ufffd\uc896\uf7bb\u2cac\ub54c\ubbe9\uabea\uce96\": \"QSR_MUTEX_YMblzlA3rm38L7nnxQ\",\n \"\u6500\u3fd8\uc642\u3a4b\u139f\u44ff\u4554\ufffd\u062f\u5dde\ucbf2\ua008\u7ea7\u4007\ufffd\ufd0d\u54da\ua7ae\u5e52\uf347\": \"Quasar Client Startup\",\n \"\u4791\u968c\u11c5\uf118\u6b09\u1148\ud085\ufa94\uebf7\u876c\u4782\u9f3f\u286e\ub03e\u925b\ucde1\uea63\u7f61\u8845\uc448\": false,\n \"\u9db9\u9c76\ua3ed\u00a5\uc4a5\ub160\u2a9a\u3422\ua536\ufffd\u35ec\uc06b\ueb88\ufe70\uae67\ub0c1\u9b98\ue33f\u0c0b\u9133\": true,\n \"\ub15d\ub9ef\ub130\u9e38\u83a8\ub451\u2918\u3512\u8372\ubf53\u2895\u288f\u5e67\u7682\ud7ab\u1bdd\u4a74\u9d54\u90ab\uaf88\": \"mDf8ODHd9XwqMsIxpY8F\",\n \"\uf87d\ufffd\u8363\u06b2\u8698\ue349\u9a0c\u6bbc\u3ad4\uf6d6\u179a\ubce1\u0f2d\u8bef\ud3ae\u9820\u4b21\ufffd\u7872\uc6a3\": \"Office04\",\n \"\u13ce\u3b87\u6cc4\uf094\ucbac\u6acc\uee1e\u29a4\ud03c\ub738\uef1c\u59ed\ud00f\u9516\u9413\ue2b0\u8eb2\u7f78\uba47\u3003\": \"Logs\",\n \"\u07e2\u8a34\ueb43\ufed8\u7bcb\uaeeb\uc2b4\u3e5e\u18a1\u5c16\u0164\u5cba\u1347\u5eb5\ufffd\u734d\u11d4\u54dc\ufeb2\u66bd\": true,\n \"\uf855\u7979\uf1a4\ub970\u3aec\ufffd\u4f2b\u8529\u236d\u49c7\u8295\u3d7c\u920d\u4c38\u0437\u4636\u87e8\u5e9b\ucd43\ud110\": false\n }\n },\n {\n \"file_path\": \"dangerzone/9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4\",\n \"sha256\": \"9bfed30be017e62e482a8792fb643a0ca4fa22167e4b239cde37b70db241f2c4\",\n \"yara_possible_family\": \"venomrat\",\n \"key\": \"86cfd98ca989924e7a9439902dc6a72e315da09c11b100c39cd59b9c9372b192\",\n \"salt\": \"56656e6f6d524154427956656e6f6d\",\n \"config\": {\n \"Ports\": [\n \"4449\"\n ],\n \"Hosts\": [\n \"127.0.0.1\"\n ],\n \"Version\": \"Venom RAT + HVNC + Stealer + Grabber v6.0.3\",\n \"In_stall\": \"false\",\n \"Install_Folder\": \"%AppData%\",\n \"Install_File\": \"speedy\",\n \"Key\": \"TzY1S0thald3UGNURmJTYjNSQVdBYlBQR2tTdUFaTTg=\",\n \"Mutex\": \"ypxcfziuep\",\n \"Certifi_cate\": \"MIICNjCCAZ+gAwIBAgIVALWZXeRliC16frxuoSrGsVJO4U2tMA0GCSqGSIb3DQEBDQUAMGcxFTATBgNVBAMMDHNwZWVkeSBkcmVhbTETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDYyNjEzNDc0OFoXDTM0MDQwNDEzNDc0OFowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2DCquy6CwL8H/T1Wi72pbKLyGQdoXBDSKpGyIfLgX5091jBQYbvFbROqt6FjbN52GSpnmd4N8TnQE6KGqTmmSmaf/nxMSNcV1sjhxm7NTfnP9vo/vnZngCmzVr91S9REqlKCiotdkIYWqbdwkmYTuqSdHaicP7Tf0H8oOYZIc5AgMBAAGjMjAwMB0GA1UdDgQWBBS/OFCWU/dcBWOe+i6ERcFdHDOwITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIT79sUZm5Je3T7yc9GS+pgzsgtf8OXakm0DrY41uytJgXzgi2E/bWIBja4DyuAddL0ziDCamqDQuFA1MhFNki/X0uKgu1ArxZeXlwKqpDv7ihWRqWrE3rHYha0ALSP8DN0Asmpc4FGnrfhoeoLYXRo8EqH+6ctIkggM8OiBYSTm\",\n \"Server_signa_ture\": \"Sn1WeJuN+Ypb6kUw4QirT1RzbwUEoeSYTmJAIlg0LayMd/VSwAo+0LnnT/g5HFx4QrqaM689CvKqUNfotQb9cPj05dfgrV3SplVDt5twnK6f8nnScqI8trTCmprH1gnOcoKcY8039kFo9dEj+eOiaBF451W181I5fPJd4Uug1bY=\",\n \"Paste_bin\": \"null\",\n \"BS_OD\": \"false\",\n \"Hw_id\": \"null\",\n \"De_lay\": \"1\",\n \"Group\": \"Default\",\n \"Anti_Process\": \"false\",\n \"An_ti\": \"true\"\n }\n },\n {\n \"file_path\": \"dangerzone/a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e\",\n \"sha256\": \"a2817702fecb280069f0723cd2d0bfdca63763b9cdc833941c4f33bbe383d93e\",\n \"yara_possible_family\": \"quasarrat\",\n \"key\": \"None\",\n \"salt\": \"None\",\n \"config\": {\n \"Version\": \"1.0.00.r3\",\n \"RECONNECTDELAY\": 5000,\n \"PASSWORD\": \"5EPmsqV4iTCGjx9aY3yYpBWD0IgEJpHNEP75pks\",\n \"SPECIALFOLDER\": \"APPLICATIONDATA\",\n \"SUBFOLDER\": \"SUB\",\n \"INSTALLNAME\": \"INSTALL\",\n \"INSTALL\": false,\n \"STARTUP\": true,\n \"Mutex\": \"e4d6a6ec-320d-48ee-b6b2-fa24f03760d4\",\n \"STARTUPKEY\": \"STARTUP\",\n \"HIDEFILE\": true,\n \"ENABLELOGGER\": true,\n \"Key\": \"O2CCRlKB5V3AWlrHVKWMrr1GvKqVxXWdcx0l0s6L8fB2mavMqr\",\n \"Group\": \"RELEASE\",\n \"hardcoded_hosts\": [\n \"kilofrngcida.xyz:443\",\n \"sartelloil.lat:443\",\n \"fostlivedol.xyz:443\",\n \"comerciodepeixekino.org:443\",\n \"cartlinkfoltrem.xyz:443\",\n \"trucks-transport.xyz:443\"\n ]\n }\n },\n {\n \"file_path\": \"dangerzone/a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b\",\n \"sha256\": \"a76af3d67a95a22efd83d016c9142b7ac9974068625516de23e77a5ac3dd051b\",\n \"yara_possible_family\": \"quasarrat\",\n \"key\": \"b30cea630f7fac6c2e066ce7f29e1b4bab548ee95b20ff6aa7387ce14df5dc30\",\n \"salt\": \"bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941\",\n \"config\": {\n \"\u5bd8\ue8b1\u8902\u4ab3\ue28f\ua5c9\u9297\ufffd\ua748\u954b\u5801\uccda\u71f1\u7314\u754f\u2036\ud518\u34c4\u0bd2\uabfc\": \"1.4.1\",\n \"\ubd74\ua2b2\u88b9\uf912\u680a\u6e1c\u9c57\ufffd\u7f1d\ufa03\uad9d\uefae\uede0\u9540\u0199\uead7\u8879\u6442\u4d27\uc296\": \"10.0.0.61:4782;24.67.68.3:4782;\",\n \"\uaf32\u50ed\ud35f\ue8c1\u8116\ua100\u61aa\u446a\ub74a\ufffd\u1029\ue028\u87a5\u9c32\u6a2d\u643c\u2535\ufffd\uef1b\uf76e\": 3000,\n \"\u8f62\u4a09\u6500\u8f63\ua128\ud6e8\u89c5\ubc5b\u31cd\u663a\u704a\u4531\u4a66\u83fc\u4a96\u302a\ube31\ubebd\u19e8\u02f8\": \"APPLICATIONDATA\",\n \"\u07ef\uab1b\ube45\u54a8\u874d\ue0e0\ucca0\u790d\ueb38\u5e8c\u7e34\u730f\u810b\u520f\uf143\u7e8b\u8718\u1ab1\u43ec\ub81d\": \"SubDir\",\n \"\u1b53\u2db6\u7a71\u05f5\u15fe\u5dbb\ud45e\ue70f\uc163\uf217\uc3f5\ue4e6\uf509\u7212\uc5a2\uee2c\uccf1\u45a8\u4489\u911b\": \"GloomTool.exe\",\n \"\u02b9\u175e\uc513\u9240\u1d5d\ub37e\u7a20\u7dd8\u1709\u68f4\u685b\u0a03\ue1ef\ua892\u0f61\u536b\u0354\ubec7\u3be8\u6095\": true,\n \"\ucef8\ufffd\ud372\ue90d\u611b\u6b37\u53e3\uc3d8\ud442\uc0ca\u02bf\u1477\u82fd\u2449\uc82b\u73dd\u319c\u4a3c\u1d46\u8f98\": true,\n \"\u5602\u18be\u066a\uffc6\u116d\uee93\u7b71\u51f6\uc63f\ue0f2\u5dbb\ufb61\uf17c\u085b\u0b6d\u1784\u24b7\u5a29\u62a2\u843d\": \"9fdd3e80-d560-431b-b526-3ebbc1799110\",\n \"\u9ff4\ufffd\u86bf\u3143\uc7c4\u1f9a\ub115\u86df\u987b\ua045\u3287\u646f\ud08b\u62de\ubee7\u2270\u1e3a\uec69\ub7cc\u8007\": \"WindowsAV\",\n \"\ub6ca\u3566\u419d\u1762\u554d\u2999\ue26d\u2649\u66d7\uae3f\ua1a8\u0df6\u5d48\ufffd\u0861\u1386\u6def\u678d\u5cbd\uadcc\": true,\n \"\u6c44\ub609\u68c0\ud49b\u9e28\u8fdc\u286e\ub4b3\ue333\u5c6e\u4ab9\uffa2\u7b4e\u06b9\u0a27\u8ed8\u765d\ub817\u4809\u6fac\": true,\n \"\uab42\u38e0\ucdfc\u0a20\u97f7\u1505\ub1b7\u5d18\u59c3\u36f1\ua70a\u8e85\ud489\uf6bb\ua390\u233d\uabff\u3c76\uf888\u2974\": \"5F91B88C67A9ACF78B2396771B3B6F2B4615CA57\",\n \"\uc238\uc713\u338a\u6dd8\ua951\u123a\u08d3\u4de2\u34e6\uee25\u6392\u6eb3\u6600\u8b93\ud1fe\u4bea\ud6f2\uee6e\ufffd\u0fc5\": \"Office04\",\n \"\ub9d6\u27d1\u15fd\u6565\u60bc\ufffd\ub07b\ub445\u85bf\u4d12\u23af\ufffd\u5766\ucc79\uf138\ud0cf\u7405\u37d8\ueed4\u4e44\": \"Logs\",\n \"\u28ff\u5da4\uba02\u3368\u0311\ud328\u719f\u587e\ue088\u40ad\u1abe\ufffd\ubc83\uff49\ufffd\uf39d\u1489\u83dc\uecb4\u08a7\": \"KQrwmpZSwOF20ZdNZlVJ7YjgErzUf9cophPOCAULRI4gSid7qeSaRL4LhhUXzEq1JuUlkRR7WTjztBsmwCRqORdxEBFwd1fMTsYFf4COj4yN1sbvc5Yb1qvk6IELnzse14eXVS+y1AbwCOGBEa1P6H2C2X2xH6jZRBMPaFsohcV0z20ZzWpdJw+aQZ/SSbMvE1YFN5o37y3MzAW/nErdZyxLA7t9eTsca+RLT8uHgqU0iEd4Mz1iHUWA2gYY+uPzV1I3oU8LHrWhXnXRhutbShZ80KbE+tfr7XLAIwwol00moTd7GaL4vd/ZeOa3z3nmVO2GxIRMWCmiX52l5MutcuR/nAAR1k+W2ScaAoxXzpb6pwOwccooFty0lpRoO6RMT+g1ux+jwKn4RpH1baEAmA6cu8W2l1mr8dwZ3ra094dUKEdITKRKEviworYIRWDS9w2618tVfRhccHNsbIIp5qZMumne0OVE+FK6rjPZM/Q4OR7++1AQUNiavCOsY6/sbxdb+K43x2PrxzJAPoU33qF2fzXaSIEgbmlqkZFdFOhSVHay5F4lmuvHUGRXmhs37quo874DaCA5phI3aCP8VXIFkHyjOJelIR9wlfsdNY5yOoA2POnFt1Y24YzoPZt3Mc/Nqv74z/cE3LXrJHsgivyZV25nqpiCHL704AfoRpo=\",\n \"\ufaea\u4908\u9188\u6146\uc2d4\u46be\u6a0e\u6405\uccf6\u7a36\uc15c\u5dba\u1927\u670f\u117e\u3e11\uf326\u3f3f\ud664\u56f8\": \"MIIE9DCCAtygAwIBAgIQAIhqXB+nLwd+VvEk3rjLsTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQwNTIyNDkxN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArk3R4LAyzBp+YXIUqxBNyT/R94en+jU7NTtJGsCG7I6Tp2ZV6mdTOynApeBLs6RvgIpzxPIbjA7HMoQqRxBDKREcRZJCnK3NdMl+8ZMKU4OLBWINwW4fvZRu2spC79MYiIsKOXRDsfCelPs1llHTbD4b4c+PzbpcGA5gI+luZ6+OKajkGbAKdppse5EdPh+KrE6r74nAJiK9PdvfF1H7XwOVpFChxcYZJmZTG8hfrSFQ/0mSi0CobU71vj8fVkhX0EOVSv/KoilBScsXRYbvNY/uEzS+9f0xsYK5AgJQcUYWLthqKSZbo3T1WecBHKynExf8LbFpC42ACyPbZXtAYt1lyBXyLW8TZS65yquhcVio/ZgAG05WGn+TeA6M+CxNkEZNvgd5PDuBkF6X13w3OXGFOL7i4KBJifSMRyJaqp9i6ksAY8epDRHP1WOXDxnQ8ak+4jyPC6WSZFnGV3DT7lZahvkIaNR8OPR8suOoUWk8Jl9Fxx+DBa6RK3Ht96YkPAf8rY84Hjjp4xp1OF6q88W1YaYo9NtPK+5fkf2pFqa+RC7v3RKgsis3/1xYeBZ8expiCdm5hKTRx0tAkG5bLzC6/Em8cHqCR6lmbPuHgA4ijByU6fLD1JdmwqAcjpy9OIdB8L+G7X8kAu5+WUe5BMiIE6EYvJi3Rpg2fz5Nt9UCAwEAAaMyMDAwHQYDVR0OBBYEFI40k9gCti/BlRy3dUVqsbe3OhMxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAAXYckulFdYnmtdh24egkttF9h/0AD87o9kAnRwJVu3nu12R+FwJgaihvAQZiKQ4kgTkP//ag9E60xwyzEcj00/yZGzjMAAXONZoEyeCxEF5cMjbtmqLWsFkRaHEpWtcczJ2BChEnFDgoGF2I6TOlr7OGoJnzHmz43bY9dkpDJ+tqIZu5AwoMG4WMoNe+by66G2S1AjyVVimIJA7at12EMIUizO0Qov+iBFHSDiVwOZlUxhfu9TNKwIgQdSLHnTaBg03VFHpLZ63Qtmr12LwTEOUyVSnJXEsgZISQ0abMCaped6jwpR7+VlpU4SGfyBU8caFphJafdgVzhmztrTpYMUJE44d50+5ue9us2H2IH+26/+yBbQdffzp1LAFfYgjOE7k8EFjU3ayPaTN7ORtjCyNzhYRvjUCuopb0rWhJsQQRQJzkblrYJ/ocSfNGUQOoJpykyD1QiGboE11xIPheLYetZrRtkmNtFuVeKg9z7AB1ahxEcNGT/MW/wkxUe500cBLVTFeZtsMl7WYB6iUSxboQ8zZ8eWCDS2hYOxKfxfr54p4AW24Y267djKnAfpnMIsgJzjcDxvGGMBlwcrxb0vM0w+9K2R+M17r4bldxnStJj2Wtgal1TBVP1XexZgarfXw3HstKjhbFH6cb4g7ZW4wdCYE5XA6qZL00XpuSy4t\",\n \"\u6482\u55cc\u0c00\u6e0c\ub0cb\u2739\uc5f3!\ufffd\ue2a4\u6690\uc017\uc09a\u7623\uad2b\ua765\u0d61\u73c1\u4b66\u438d\": true,\n \"\uab2a\u1e1c\u930c\u29e5\u7430\u951c\u8251\ub2c5\ue36d\uc373\u5b93\u5e42\uc8fa\u499b\ufffd\u1786\u8f36\uef98\u8dc2\u6926\": true,\n \"\ub27b\ud270\ufffd\u355e\u1622\u7519\u9d96\u7364\uc9d0\u1fde\u52a9\uba41\u1e31\u6312\u8c77\u2adf\u168a\ub8ea\u6141\u6a1f\": \"\",\n \"\uebb2\u4c72\uf95a\ufffd\ufffd\ua787\u4955\u9b1b\ufffd\u884c\ufcc4\ue409\u5744\ub527\u981c\ue9ca\ucb25\u79b8\u7ada\u23fa\": \"\",\n \"\u5254\u58f4\u661a\ucf1c\ua701\uea1d\u2f73\u5f72\u61d4\u5da5\u9863\u785d\u82b9\u6196\u9e96\uf4a6\u6ee1\u5883\ua878\uf173\": true\n }\n },\n {\n \"file_path\": \"dangerzone/b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e.exe\",\n \"sha256\": \"b5bff486f091f9539606931e0aff280eaea17064b2a12940675dfac926e9666e\",\n \"yara_possible_family\": \"xworm\",\n \"key\": \"c527ac2a4eeb6039d9477583d0f4f2c527ac2a4eeb6039d9477583d0f4f2ee00\",\n \"salt\": \"None\",\n \"config\": {\n \"Hosts\": [\n \"act-cleaning.gl.at.ply.gg\"\n ],\n \"Ports\": [\n \"37158\"\n ],\n \"KEY\": \"<123456789>\",\n \"SPL\": \"<Xwormmm>\",\n \"Sleep\": 3,\n \"Group\": \"NeverLoseCrack\",\n \"USBNM\": \"USB.exe\",\n \"InstallDir\": \"%ProgramData%\",\n \"InstallStr\": \"svchost.exe\",\n \"Mutex\": \"OkWVOTioL6k3Fg3w\",\n \"LoggerPath\": \"\\\\Log.tmp\"\n }\n },\n {\n \"file_path\": \"dangerzone/beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5.exe\",\n \"sha256\": \"beb1b5cd2a33e86e48599b183b882fc3e80198a8062e5b9d9251e605d3f0bfd5\",\n \"yara_possible_family\": \"quasarrat\",\n \"key\": \"b5580a84ddadcf548713dd64fedbbe067f931e6ce4699271de572acbd52f4074\",\n \"salt\": \"bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941\",\n \"config\": {\n \"\u4f14\u96c2\u5a40\u703f\u0a1f\uf8b4\uf5c2\u6604\ub4a2\uc15f\u1fd4\ufffd\ud61e\u3beb\u50dd\ud067\u7d5c\u9300\u42fd\uca96\": \"1.4.1\",\n \"\ufffd\ub0d6\u80c3\u6ad0\ud10c\u3665\u0a0d\u73c3\u2b06\u90d8\uf819\u2adc\u1514\uacbf\uabfd\u34e3\u738c\uebd7\u483e\u9572\": \"91.92.241.122:6969;\",\n \"\u4bb1\u26f4\uefa6\ufffd\ua4de\u7350\u3c9a\uec96\uc56e\u1af7\ucee8\u1d89\u7d9f\u376c\u365a\u0dbd\u135e\u5c77\u70c5\ue028\": 3000,\n \"\uc200\ub346\u884f\uaa91\ua274\u95e6\u0436\uc730\ucb01\u8a81\u3447\ufffd\uf6bc\ud448\ua2a6\u2d59\u9f2d\ufffd\ud37d\ub2e2\": \"APPLICATIONDATA\",\n \"\ua025\ud2aa\ufd3f\ud4ea\u50d7\u4d4a\u3e42\u6eb3\u107a\ub826\ufffd\u5767\u2b16\ue52f\ufbd3\ufffd\u9a68\u3f02\u33dc\uc89f\": \"\",\n \"\u02bc\u1799\ucb00\ubbcd\uf862\ufffd\ufffd\u1c46\u8d18\u597d\u9897\u8ceb\u67ca\u2529\u94b5\u028c\uba43B\u8791\u4b4f\": \"Client.exe\",\n \"\ua9ed\ua1f6\u9b76\u48c8\ue4e7\ueeb2\u129c\u7637\u7b35\u06ef\u7549\u9321\uc750\u16db\u7bb6\uc6e4\u344d\u9acc\ufffd\uc60d\": true,\n \"\u6590\uebcc\u26ca\u44bf\u0bff\u9d42\u0281\u3ad4\ud5ca\u9041\u9a97\ua2b5\u38c9\u168f\u3cf1\u9c38\u083f\u4d59\uae7f\u34ac\": true,\n \"\u7c14\uc311\u9976\u66f0\u59de\u8023\u33b9\u4976\u9bf9\ua3c3\u63fc\ua590\u17b7\uc2df\ue9d1\ue4dc\ue486\ue80c\ucea5\u4f3d\": \"fcf2be0a-a426-40c6-b153-1a354814f80d\",\n \"\u40e6\u7478\u4c4c\u7c7e\ucb87\u0a88\u5e1d\u8743\u9ef1\uf10f\u4964\uae02\ufffd\ub4d7\u123d\uc5ee\ufffd\u0f8b\u8791\ufffd\": \"Quasar Client Startup\",\n \"\u9d76\u1cf5\u4c11\u8a35\u1dbb\u32ea\u636e\ue31d\u2f47\u12f0\u2161\u44af\u0a93\u5939\u12de\u16c0\ubfb1\u1df5\u9398\ub72f\": false,\n \"\u3672\u8f01\u7d6b\ue40a\u4c96\u4c8e\u5d1b\u5a58\u3a01\uc6f3\u44ea\ufab8\u421c\u8c47\u124a\u7aed\u45f9\u2efc\u83c8\u9375\": true,\n \"\u360e\u2592\uf11a\u93e2\u38d7\ue5ed\ub97e\ufa5b\u6893\u52c4\u92ed\u1eca\u79e9\u4d30\u4bfe\ue9f7\u7375\u3c00\u0d87\u8814\": \"26A6C07FE7354BCD244B108D2E3538DCF04477F5\",\n \"\u51f7\ud083\u74f8\uf553\u4c96\uaa7e\ua2f7\u70ff\u7b78\u99f8\uc257\ud74b\u39c3\ue6c7\u06db\u40f5\u6fb6\u6d5f\ubdec\u4891\": \"Fab\",\n \"\u0f46\ube49\ub93a\ub928\u5204\ua553\u5768\u8fc4\u6e4e\u9bd9\u2af5\ufc3f\u418c\u1c44\u3fd0\ue165\u1f73\u22c6\u3548\u55ce\": \"Logs\",\n \"\u1692\u5b8b\u3f7e\u4e9e\uaff7\u7263\ue342\u3d33\ub36f\u87ed\ube49\u6077\ubf1e\u6afb\ube5c\ua5af\ufffd\ua4b3\ua597\ud7bb\": \"U/jVlmjpH/9zMrLFla8LcLavxUQe9wt9L6qGAh9zYqPdqDW0e0fRlnxEST/s3HTVlAyuqIyn5yKrWKaXCMUHKcjpAWVQ9jPLAteKNgIRz5Soa8qxWgD215NTswSL/tYwdPW2svV9y6ELPKScSacDyZlBp47bv299XhxjeUkAXIli59EHnHxAIlOS/Ag51onRTlEkGYIVQO1IJjGoGQe8pND5JwWOVi072s67A16SNYJmPrCNqDjCMVjYDRwLqusbuDPF2K0wIVLn4RzLr+F1O5e5Rh8GFIj/7qa8gOy2kjAbczo3AAKZG3sghrut27P2ldxGcWpsms5w97k7WJ91goBms0n/hV29sRDiYG51xey3KqcTp2UspvLUzNJek21CZk+EgCQ3Q7+aZxdLAIEfwAo0cq7lJkq3iEZuZ+86sts1D3YToM9+mRtIDAeb/op2oxvWbJOqeA9YME2A7PWDVI6bH9kcru5UolqfxPRIH7Aa8BVzAbctghbaVZCiwkI0lxc9hijCLZugOnKXtFU3A+hPVyc/aDqZcWPDu7u9jWbrWIk6JqLGbnJYiU6a4p7IwdGnVwkA49aD4ZnKqWo8tSKLCd+dvP4nx+pqYWiUpf+rdy/xH1MBbPj/lPlphmrFFHijlBufVoSLa88/rBv+Fb9ox2Ei2t5RJYTLDEoP0oY=\",\n \"\u4a27\u7323\ue778\u2223\u0b66\ufffd\u7a1c\u2689\u67e8\u6681\uc99b\uea3a\uecb4\ucffe\u576f\ub603\ud1ba\ufeec\u1084\uf575\": \"MIIE9DCCAtygAwIBAgIQAJMC1KOnf3PAJ47sO2MclTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgwMjE5MzAwMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAk9yV4zXwIw2x7ZZyu2WnaWGwrq2laEP44y9HMM/PYRQCmkMr/L4bqPIgee+trkTOK2T/yd37YISYQSsfQXONYG5JZy1DsZgWAy177xEUoLNAv/TmWrovdVhFSIN0FtQo4ED1AMSOeRWPYw3fdFplPo25TqiZnJuC76fu04Sfl5/B5RqZUy3FKkVlZRL/99zAKjQvFIFvX/riz7pwYPoKSNzRB+SPebLJgYlG7qaxb11C/oiJu1AuEcrmjjr8Ph/nYAqY4EzsjWw6mBUEKTAdCptz78Xpj2qZ/DO//6rDIkw2HWyvvJ4qC2jhv4d2LL/LVSof2SDkMY2NRweMtwnmI8mYIf6mF6pOuH7l6IONc+W2LahqbDImjijmYOJnED/4mV3QRvXHZlwwn/qwf4Fc98VdNayqw1SdKyWqSEIFaa8ZtbSvGj1RQWwzJXQ0sr7EVcv26GUorfX4y5wXhVu5DQfAIZkhZoGSOUPVh0E/NnSqFA10M7TcTz0+fwxLjZ93vi0D0dBcyWvMwTUjy1FHZMu7ZXPsrGbDMmhwmNSsqCqV3SGLZEwaSI2Wtzi1SgElz9+GSh3twxi6O+kaOtP8vu6jbzYi8QSLbn+APkX4XXetIms76fRT6c0yjgnr8NNhdATN3NIAy2AIBfRB9+WkmEEzWf35oLIb0WaNIXtRS5MCAwEAAaMyMDAwHQYDVR0OBBYEFJnfWehSzSmr6K0SenBX6AyNEZUqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEsJnW/h1UmS2DsvTd6vhMwSVZjtK5PKYx8HRL1KPrhDa4WVdYvXu9DaO0BHs5dad+EMTuhWirWXv1oG4TUBVwwZ9ka95ooIZhrZdjLe1sXHeRTubU9yO5bl/6fhHUvPcDsktCgBxboI40t6YcJk+wtIdobhhO0dIHK7OAkJMXQMv7bWX6xy2HwPk0tzkHSskWe160kUiNdxZomd6VSL5FnJ9aB6erznl1WABJNRNwIksM1xlrgyCFAMRvJwpJi823H/ApWwAosQo9qstOo2e+OMrCAzexGJL93JANAXAf7xa5TXzcTPd+n9QhYSDWW7EqDim8vguQzHkHkDNRMP0poqTHFYovcupr2zBjkhPC6sP/f0Rq/aQ6Dyqqoj0cW/nH2wl4eFXvQnSHTbbVIo2qzb+Ud1qFhXxkGzuP//V/wBgEAhLcFraqgQ/b4kX0hkhV0yYaTWpqVemg4Aki7RYz9nGIRMcdr+APFeXo49FHjerk0lqszbKd6IJn3CR9U+ZLpzp3M9NLdeTPpjGal8IgMjuO6MXmt/ybz1fAfM0shKsq4+3nUI0TMGBgYhrPdS5VoA29Xg84hAVj7wewNZKJ43d/poHQnrjWkuN/Ii66IaKVyKofoMiHyfHIy0ee456vDYvxbPv+k9euEhv4OiK8dTWwvDr2XlJZWfq+pukDEk\",\n \"\uf085\u5d65\u5e10\u8fc9\u2df9\uc731\u3165\u4895\u23a5\u2537\ua035\uca0a\ua04c\uc0d6\ucb9f\u94d2\ufdfc\u397a\ucfe1\u8326\": false,\n \"\u0bbe\u5dea\u9a38\u4465\u9af2\u9dde\ub692\u730c\u9266\ued45\u6246\ucf21\u22b8\ued9b\ua709\u0f3e\u26be\u9f94\ue7ce\u85ae\": false,\n \"\ufe96\u010a\ua823\u3b3f\u852d\u4b95\u52b4\u9160\u23fb\ua71c\u7c04\ua661\u86bc\uc8a6\u23fa\u812c\ub7cc\ue925\ud329\u3fd1\": \"\",\n \"\uf446\u3749\ub2a3\u6f0a\uaa41\u190c\uf58b\ubaa4\ub4a6\uc9da\ud5bb\ua65d\uabf8\u3ad2\ub242\u645d\u3622\ub877\u3828\u15ea\": \"\",\n \"\u127c\u0c8e\u7ed2\u4e6b\ufffd\u60a3\u3dd5\u3fe7\u3b23\u7fd4\u1e33\u26eb\ufc51\u6c16\u1516\uc85e\u85bf\u141b\uaa1b\u9185\": true\n }\n },\n {\n \"file_path\": \"dangerzone/d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e\",\n \"sha256\": \"d5028e10a756f2df677f32ebde105d7de8df37e253c431837c8f810260f4428e\",\n \"yara_possible_family\": \"xenorat\",\n \"key\": \"650f47cdd14eaef8c529f2a03fa7744c\",\n \"salt\": \"None\",\n \"config\": {\n \"Hosts\": [\n \"77.221.152.198\"\n ],\n \"Ports\": 4444,\n \"Key\": \"03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4\",\n \"delay\": 5000,\n \"mutex_string\": \"Xeno_rat_nd89dsedwqdswdqwdwqdqwdqwdwqdwqdqwdqwdwqdwqd12d\",\n \"DoStartup\": 2222,\n \"Install_path\": \"appdata\",\n \"startup_name\": \"nothingset\"\n }\n },\n {\n \"file_path\": \"dangerzone/db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa\",\n \"sha256\": \"db09db5bdf1dcf6e607936a6abbe5ce91efbbf9ce136efc3bdb45222710792fa\",\n \"yara_possible_family\": \"venomrat\",\n \"key\": \"11ed70df5ce22de750c6e7496fa5c51985c321d2d9dd463979337af003644f41\",\n \"salt\": \"56656e6f6d524154427956656e6f6d\",\n \"config\": {\n \"Ports\": [\n \"4449\",\n \"7772\"\n ],\n \"Hosts\": [\n \"127.0.0.1\"\n ],\n \"Version\": \"Venom RAT + HVNC + Stealer + Grabber v6.0.3\",\n \"In_stall\": \"false\",\n \"Install_Folder\": \"%AppData%\",\n \"Install_File\": \"\",\n \"Key\": \"M1NoWkREazBvNTNGUkRlT0s4TjE1QlRRQmx4bW1zd2U=\",\n \"Mutex\": \"qmhvogiycvwh\",\n \"Certifi_cate\": \"MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz\",\n \"Server_signa_ture\": \"BW9mNNWdLZ+UgmfSTOot753DE24GfE+H6HYG5yl4IFszdMLpfQXijxVlt3bcz68PrHwYG2R70J+h9EVUXPjNw2GgCH5I8BvOw6Luh09VjE3YrfERSa2NKJ7baO9U9NDhM4HaSUCUvXGbR6J0itLe+2YthV7GXSCEbbmfZI9UYKU=\",\n \"Paste_bin\": \"null\",\n \"BS_OD\": \"false\",\n \"Hw_id\": \"null\",\n \"De_lay\": \"1\",\n \"Group\": \"Default\",\n \"Anti_Process\": \"false\",\n \"An_ti\": \"false\"\n }\n },\n {\n \"file_path\": \"dangerzone/fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d\",\n \"sha256\": \"fb0d45b0e48b0cdda2dd8c5a152f3c7a375c18d63e588f6a217c9d47f7d5199d\",\n \"yara_possible_family\": \"xworm\",\n \"key\": \"e5f7efe2fddd6755c92cbc39d5559ce5f7efe2fddd6755c92cbc39d5559c4000\",\n \"salt\": \"None\",\n \"config\": {\n \"aumDBZNDJ7f2\": \"mo1010.duckdns.org\",\n \"gnnrkMjhrGnD\": \"7000\",\n \"xeGVxN2u4Sp3\": \"<123456789>\",\n \"upgseICLHsZe\": \"<Xwormmm>\",\n \"jF5pyMR4K1B8\": 3,\n \"VpYiyt9aVUsv\": \"USB.exe\",\n \"z7mwUS4LmaFC\": \"%AppData%\",\n \"Fjg9TdM4RTsH\": \"tBZ7NDtphvUCm0Dc\",\n \"5BPKEMIKpcCV\": \"\\\\Log.tmp\"\n }\n },\n {\n \"file_path\": \"dangerzone/vstdlib_s64\",\n \"sha256\": \"6e5671dec52db7f64557ba8ef70caf53cf0c782795236b03655623640f9e6a83\",\n \"yara_possible_family\": \"quasarrat\",\n \"key\": \"526f35346a62726168486530765a6266487a7039685575526637684a737575794b4c7933654e5a3465644c415a71455861676b3078357767563277364d544b5339367279367959664d6a66456f35653934784e396c684e346b514c4e7479317442704974\",\n \"salt\": \"None\",\n \"config\": {\n \"Version\": \"1.0.00.r6\",\n \"RECONNECTDELAY\": 5000,\n \"PASSWORD\": \"5EPmsqV4iTCGjx9aY3yYpBWD0IgEJpHNEP75pks\",\n \"SPECIALFOLDER\": \"APPLICATIONDATA\",\n \"SUBFOLDER\": \"SUB\",\n \"INSTALLNAME\": \"INSTALL\",\n \"INSTALL\": false,\n \"STARTUP\": true,\n \"Mutex\": \"e4d6a6ec-320d-48ee-b6b2-fa24f03760d4\",\n \"STARTUPKEY\": \"STARTUP\",\n \"HIDEFILE\": true,\n \"ENABLELOGGER\": true,\n \"Key\": \"O2CCRlKB5V3AWlrHVKWMrr1GvKqVxXWdcx0l0s6L8fB2mavMqr\",\n \"Group\": \"RELEASE\",\n \"xor_decoded_strings\": [\n \"BPN - Nuestro Banco\",\n \"Red Link - bpn\",\n \"HB Judiciales BPN\",\n \"Ingres\u00e1 a tu cuenta\",\n \"Online Banking Web\",\n \"Banca Empresa 3.0\",\n \"Banco Ciudad\",\n \"Banco Ciudad | Autogesti\u00f3n\",\n \"Banca Empresa 3.0\",\n \"Banco Comafi - Online Banking\",\n \"Banco Comafi - eBanking Empresas\",\n \"Online Banking Santander | Inicio de Sesi\u00f3n\",\n \"Online Banking Empresas\",\n \"Online Banking\",\n \"Office Banking\",\n \"HSBC Argentina\",\n \"HSBC Argentina | Bienvenido\",\n \"accessbanking.com.ar/RetailHomeBankingWeb/init.do?a=b\",\n \"ICBC Access Banking | Home Banking\",\n \"Banco Patagonia\",\n \"ebankpersonas.bancopatagonia.com.ar/eBanking/usuarios/login.htm\",\n \"P\u00e1gina del Banco de la Provincia de Buenos Aires\",\n \"Red Link\",\n \"bind - finanzas felices :)\",\n \"BindID Ingreso\",\n \"BBVA Net Cash | Empresas | BBVA Argentina\",\n \"Bienvenido a nuestra Banca Online | BBVA Argentina\",\n \"Ingres\u00e1 tu e-mail, tel\u00e9fono o usuario de Mercado Pago\",\n \"Mercado Pago | De ahora en adelante, hac\u00e9s m\u00e1s con tu dinero.\",\n \"Mercado Pago\",\n \"Home Banking\",\n \"Office Banking\",\n \"Banco Santa Cruz Gobierno - Una propuesta para cada Comuna o Municipio | Banco Santa Cruz\",\n \"Home banking\",\n \"Office Banking\",\n \"Banco de Santa Cruz\",\n \"Red Link\",\n \"Banco de la Naci\u00f3n Argentina\",\n \"Red Link - BANCO DE LA NACION ARGENTINA\",\n \"Red Link\",\n \"Macro | Agenda powered by Whyline\",\n \"Banco Macro | Banca Internet Personas\",\n \"Banco Macro | NUEVA Banca Internet Empresas\",\n \"https://argentina-e4162-default-rtdb.firebaseio.com/user.json\",\n \"C:\\\\\\\\Users\\\\\\\\\",\n \"\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Aplicativo Itau\",\n \"C:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\",\n \"C:\\\\\\\\ProgramData\\\\\\\\scpbrad\",\n \"C:\\\\\\\\ProgramData\\\\\\\\Trusteer\",\n \"dd.MM.yyyy HH:mm:ss\",\n \"application/json\",\n \"Sistema no disponible, intente nuevamente m\u00e1s tarde.\",\n \"SENHA DE 6 BPN\",\n \"SENHA DE 6 NB\",\n \"SENHA DE 6 CIUDAD\",\n \"SENHA DE 6 COMAFI\",\n \"SENHA DE 6 GALACIA\",\n \"SENHA DE 6 HSBC\",\n \"SENHA DE 6 ICBC\",\n \"SENHA DE 6 PATAGONIA\",\n \"SENHA DE 6 PROVINCIA\",\n \"SENHA DE 6 SANTANDER\",\n \"SENHA DE 6 BIND\",\n \"SENHA DE 6 BBVA\",\n \"driftcar.giize.com:443\",\n \"adreniz.kozow.com:443\"\n ]\n }\n }\n]\n```\n\n## Feedback, Issues, and Additions\n\nIf you have suggestions for improvement, bugs, feedback, or additional RAT families that use a similar configuration format as AsyncRAT, QuasarRAT, VenomRAT, DcRAT, etc. that are not yet supported, please send me a message on [Mastodon](https://infosec.exchange/@jeFF0Falltrades), [YouTube](https://www.youtube.com/c/jeff0falltrades), or submit an Issue or PR in this repo.\n\nAlso, if this tool or video tutorial was helpful to you, that's always nice to hear as well!\n\nThank you!\n\n## Contributions & Attribution\nHuge thanks to the following contributors for their outstanding work:\n\n- [doomedraven](https://github.com/doomedraven): For your help in integrating RKP into CAPEv2, as well as your continued contributions to the project as a coauthor\n- [cccs-rs](https://github.com/cccs-rs): For your help in integrating RKP into AssemblyLine, as well as helping me wrap it to work with MACO\n\nThe logo for this project contains modifications of the following images:\n\n- Ouroboros (modified) - Image by Freepik - https://www.freepik.com/free-vector/ouroboros-symbol-illustration_37368320.htm\n- Rat King Illustration (modified) - User:Di (they-them), CC BY 4.0 <https://creativecommons.org/licenses/by/4.0>, via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Rat_King_Illustration.svg\n",
"bugtrack_url": null,
"license": "Copyright (c) 2024 Jeff Archer Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \u201cSoftware\u201d), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED \u201cAS IS\u201d, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ",
"summary": "A robust, multiprocessing-capable, multi-family RAT config parser/config extractor for AsyncRAT, DcRAT, VenomRAT, QuasarRAT, XWorm, Xeno RAT, and cloned/derivative RAT families.",
"version": "4.0.1",
"project_urls": {
"Bug Reports": "https://github.com/jeFF0Falltrades/rat_king_parser/issues",
"Homepage": "https://github.com/jeFF0Falltrades/rat_king_parser",
"Say Thanks!": "https://www.buymeacoffee.com/jeff0falltrades"
},
"split_keywords": [
"asyncrat",
" dcrat",
" malware",
" parser",
" quasarrat",
" venomrat",
" xenorat",
" xworm"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0970b124ba24b9c7bb127411f0c73badb8a1f65b7b069e563e384cd47e007d1a",
"md5": "33349ba98b2e8474d9ab6fd57c3fa341",
"sha256": "f5f8db807c371d4a2e634fa92b7de9ec67a1ae8e0a1c2e39e14aceec5c8fb279"
},
"downloads": -1,
"filename": "rat_king_parser-4.0.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "33349ba98b2e8474d9ab6fd57c3fa341",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 75643,
"upload_time": "2024-12-30T04:07:54",
"upload_time_iso_8601": "2024-12-30T04:07:54.570867Z",
"url": "https://files.pythonhosted.org/packages/09/70/b124ba24b9c7bb127411f0c73badb8a1f65b7b069e563e384cd47e007d1a/rat_king_parser-4.0.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "acc3478e874e3faf1d2a8e174a217b14ec16f04fa260534e2b1ff3aef60a378f",
"md5": "f8e91f64dd542ba3a2d151c149c1dc68",
"sha256": "9fb57c0ff925e988344a179bcc6b6df2eba98f4815865ee2088982ea71680956"
},
"downloads": -1,
"filename": "rat_king_parser-4.0.1.tar.gz",
"has_sig": false,
"md5_digest": "f8e91f64dd542ba3a2d151c149c1dc68",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 96038,
"upload_time": "2024-12-30T04:07:57",
"upload_time_iso_8601": "2024-12-30T04:07:57.397128Z",
"url": "https://files.pythonhosted.org/packages/ac/c3/478e874e3faf1d2a8e174a217b14ec16f04fa260534e2b1ff3aef60a378f/rat_king_parser-4.0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-12-30 04:07:57",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "jeFF0Falltrades",
"github_project": "rat_king_parser",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "rat-king-parser"
}
