⚠️ Pracivo Security Lab — All samples are COMPLETELY SAFE text files. No real malware. For learning static analysis techniques only.
> SystemUpdate.exe.txt — Strings Output
Remote Access Trojan
[SAFE — TEXT ONLY]
[SAFE DUMMY FILE - PRACIVO LAB - NOT REAL MALWARE]
Strings extracted from fake RAT binary:
SUSPICIOUS_STRINGS_FOUND:
- "cmd.exe"
- "powershell -enc"
- "GetAsyncKeyState" (keylogger)
- "CreateRemoteThread" (process injection)
- "VirtualAllocEx" (memory allocation in remote process)
- "WriteProcessMemory" (code injection)
- "SetWindowsHookEx" (keyboard/mouse hook)
- "GetClipboardData" (clipboard stealing)
- "screenshot"
- "webcam"
- "microphone"
- "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHelper"
C2_COMMUNICATION:
- User-Agent: "Mozilla/5.0 (compatible; MSIE 9.0)" (fake browser UA)
- HTTP POST to: 94.102.49.190/update/check
- Data encoded in: base64
- Beacon interval: 60 seconds
ANTI_ANALYSIS_TECHNIQUES:
- IsDebuggerPresent() check
- Checks for VM: VMware, VirtualBox registry keys
- Sleep(300000) — delays execution to evade sandbox timeout
- Self-modifying code in section .pack
PERSISTENCE_MECHANISMS:
- Startup folder: C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- Registry run key
- Scheduled task: "WindowsUpdateHelper" running every 15 min
ANALYSIS_NOTES:
Common RAT families: DarkComet, NjRAT, AsyncRAT, Remcos, Cobalt Strike.
Tools: Wireshark (C2 traffic), Process Monitor, Autoruns (persistence).
[download-file]