Skip to content

S0066 3PARA RAT

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. 1

Item Value
ID S0066
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols 3PARA RAT uses HTTP for command and control.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography 3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails1
enterprise T1083 File and Directory Discovery 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.006 Timestomp 3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.1

Groups That Use This Software

ID Name References
G0024 Putter Panda 1

References

Back to top