PureRAT = ResolverRAT = PureHVNC
PureRAT是一种远程访问木马(Remote Access Trojan),允许攻击者远程控制他人的计算机。其功能包括查看屏幕、操控鼠标键盘、访问摄像头和麦克风、记录按键、上传下载文件以及代理网络流量。该恶意软件与ResolverRAT和PureHVNC属于同一家族。识别该恶意软件的特征包括特定的C2端口(如56001-56003)、TLS 1.0通信以及自签名证书等。 2025-8-12 15:43:0 Author: www.netresec.com(查看原文) 阅读量:15 收藏

Tuesday, 12 August 2025 15:43:00 (UTC/GMT)


PureRAT = ResolverRAT = PureHVNC

PureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else’s PC. PureRAT provides the following features to an attacker:

  • See the victims user interface
  • Interact with the victim PC using mouse and keyboard
  • View the webcam
  • Listen to the microphone
  • Record keystrokes
  • Upload and download files
  • Proxy network traffic through victim
PureRAT user interface

What the PureRAT user interface looks like to the attacker

PureRAT is the exact same malware as what Morphisec and others call ResolverRAT. PureHVNC, on the other hand, is the predecessor to PureRAT. These three malware names are all used by threat intel companies and researchers when referring to the same malware family. We will call this malware family “PureRAT” in this blog post.

Indicators of PureRAT

Malware analysts might recognize PureRAT through properties like these ones:

  • Loader is a .NET executable obfuscated with Eazfuscator.NET
  • Payload is AES-256 encrypted in CBC mode
  • Payload is gzip compressed
  • Extracted PureRAT payload is a DLL
  • PureRAT DLL is packed with .NET Reactor

See analysis by eSentire, Morphisec, Kaspersky and Fortinet for more reverse engineering details on PureRAT.

Another way to identify the malware is to run it in a sandbox and inspect the network traffic. The following characteristics are typical indicators of PureRAT:

  • C2 TCP port is often 56001, 56002 or 56003
  • Client (bot) first sends 04 00 00 00 (in hex), followed by a TLS handshake
  • Client and server run TLS 1.0
  • X.509 cert is self signed
  • X.509 cert expires 9999-12-31 23:59:59 UTC
/ResolverRAT_CapLoader_Transcript

As you can see in the flow transcript above, CapLoader currently identifies this traffic as “ResolverRAT”. This detection will most likely be changed to “PureRAT” in future versions of CapLoader.

IOC List

Here are some IP:port tuples for C2 servers used by recent samples of PureRAT:

  • 193.26.115.125:8883
  • purebase.ddns[.]net:8883
  • 45.74.10.38:56001
  • 139.99.83.25:56001

Posted by Erik Hjelmvik on Tuesday, 12 August 2025 15:43:00 (UTC/GMT)

Tags:

Short URL: https://netresec.com/?b=2589522


文章来源: https://www.netresec.com/?page=Blog&month=2025-08&post=PureRAT-ResolverRAT-PureHVNC
如有侵权请联系:admin#unsafe.sh