Pcrat

Malware updated 7 months ago (2024-11-29T14:23:26.719Z)

Download STIX

Preview STIX

PCrat is a notorious remote administration trojan, with its source code openly accessible on the public internet. This malware, along with KimJongRAT, has been identified as part of malicious cyber attacks. In our analysis, we found that these two malwares were used as the encoded secondary payload in BabyShark attacks, earning them the nickname "Cowboys". Their primary function appears to be information stealing and disruption of operations. The original filename "cow_pass.fig" suggests that KimJongRAT is primarily used for password extraction, while PCRat supports data exfiltration to Command and Control (C2) servers. These malware families have shown their adaptability and potential for future use in different configurations. While the current focus is on PCRat and KimJongRAT, threat actors may shift to other malware families in the future. In this case, PCRat was observed communicating with a C2 server at IP address 173.248.170[.]149:80. This shows the malware's ability to establish a connection with external servers, further highlighting its threat potential. Despite the threats posed by PCRat and KimJongRAT, defenses against them are robust. Our Intrusion Prevention System (IPS) engine effectively blocks both pre and post infection network communications from the BabyShark and PCRat malware families. By decoding the PCRat payload metadata, we can gain insights into the operation of the malware, allowing us to better anticipate and counter future attacks.

Description last updated: 2024-05-04T21:41:29.884Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Kimjongrat is a possible alias for Pcrat. KimJongRAT is a potent form of malware, malicious software designed to infiltrate and damage computer systems, often without the user's knowledge. It primarily functions as an information stealer, extracting sensitive data such as email credentials from Microsoft Outlook and Mozilla Thunderbird, and	2
BabyShark is a possible alias for Pcrat. BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Pcrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	Unit42	14 days ago	Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation
	MITRE	2 years ago	BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat