Skip to content

S0259 InnaputRAT

InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. 1

Item Value
ID S0259
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 20 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell InnaputRAT launches a shell to execute commands on the victim’s machine.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Some InnaputRAT variants create a new Windows service to establish persistence.1
enterprise T1083 File and Directory Discovery InnaputRAT enumerates directories and obtains file attributes on a system.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion InnaputRAT has a command to delete files.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.1
enterprise T1036.005 Match Legitimate Name or Location InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.1
enterprise T1106 Native API InnaputRAT uses the API call ShellExecuteW for execution.1
enterprise T1027 Obfuscated Files or Information InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.1
enterprise T1082 System Information Discovery InnaputRAT gathers volume drive information and system information.1


Back to top