RATDecoders NanoCore version – Python Decoders for Common Remote Access Trojans

Changelog NanoCore version 20/10/2016:
+ All Code Scripting has been update at nano core version.

ratdecoders nano core versions

ratdecoders nano core versions


Ratdecoders : a collection of Python Scripts that will extract and decode the configuration settings from common rats.


All File Rat Decoder

Here is a list of the currently supported RATS:
– Adwind
– Albertino Advanced RAT
– Arcom
– BlackNix
– BlackShades
– Blue Banana
– Bozok
– ClientMesh
– CyberGate
– DarkComet
– drakddoser
– DarkRat
– Graeme
– jRat
– LostDoor
– LuxNet
– njRat
– Pandora
– PoisionIvy
– Punisher
– SpyGate
– SmallNet
– Unrecom
– Vantom
– Vertex
– VirusRat
– xtreme

Upcoming RATS :
– NetWire
– Gh0st
– Plasma
– Any Other Rats i can find.

Requirements :
There are several modules that are required and each script is different, Please check the individual scripts. This list is a complete listing of all the Python Modules across all decoders

pefile – https://code.google.com/p/pefile/
pycrypto – https://pypi.python.org/pypi/pycrypto/2.6.1
pype32 – https://github.com/crackinglandia/pype32

ToDo :
There will be more decoders coming Finish the Recursive mode on several of the Decoders

Reference :
Malware.lu for the initial xtreme Rat Writeup – https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) – http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html

Shawn Denbow and Jesse Herts for their paper here – http://www.matasano.com/research/PEST-CONTROL.pdf

Usage & Download from git:

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/kevthehermit