[SAFE DUMMY FILE - PRACIVO LAB - NOT REAL MALWARE]

Strings extracted from fake RAT binary:

SUSPICIOUS_STRINGS_FOUND:
  - "cmd.exe"
  - "powershell -enc"
  - "GetAsyncKeyState"  (keylogger)
  - "CreateRemoteThread"  (process injection)
  - "VirtualAllocEx"  (memory allocation in remote process)
  - "WriteProcessMemory"  (code injection)
  - "SetWindowsHookEx"  (keyboard/mouse hook)
  - "GetClipboardData"  (clipboard stealing)
  - "screenshot"
  - "webcam"
  - "microphone"
  - "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHelper"

C2_COMMUNICATION:
  - User-Agent: "Mozilla/5.0 (compatible; MSIE 9.0)"  (fake browser UA)
  - HTTP POST to: 94.102.49.190/update/check
  - Data encoded in: base64
  - Beacon interval: 60 seconds

ANTI_ANALYSIS_TECHNIQUES:
  - IsDebuggerPresent() check
  - Checks for VM: VMware, VirtualBox registry keys
  - Sleep(300000) — delays execution to evade sandbox timeout
  - Self-modifying code in section .pack

PERSISTENCE_MECHANISMS:
  - Startup folder: C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  - Registry run key
  - Scheduled task: "WindowsUpdateHelper" running every 15 min

ANALYSIS_NOTES:
  Common RAT families: DarkComet, NjRAT, AsyncRAT, Remcos, Cobalt Strike.
  Tools: Wireshark (C2 traffic), Process Monitor, Autoruns (persistence).