CrypRAT Infostealer actively spreading in the wild.

January 23, 2019

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of CrypRAT Infostealer  [CrypRAT.A] actively spreading in the wild.


Memory Snapshot of the CrypRAT Infostealer ( Raw and Encrypted Data )

Infection Cycle:

The Malware adds the following file to the system:

  • Malware.exe
    • %APPDATA%\roaming\system.exe

The Malware adds the following keys to the Windows registry:

    • 1
  • [HKEY_CURRENT_USER\Software\061c2e9167603fb87dafebfaad0bb29a]
    • Keylogger data

Once the computer is compromised, the Malware installs following components to record the activity of the user via key logging and clipboard:


The Malware terminates the Self-Extractor process and installs the System.exe [Key logger module] on the target system.


The Malware saves raw data in the following registry:

The Malware checks if data is available for transfer to the command and control (C&C) server every 10 seconds.

The Malware uses base64 to encrypt its strings as well as its network communication, here an example:


Command and Control (C&C) Traffic

CrypRAT.A performs C&C communication over port 1177. The Malware transfers stolen data in Base64 format, here are some examples:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CrypRAT.A (Trojan)