CrypRAT Infostealer actively spreading in the wild.

January 23, 2019

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of CrypRAT Infostealer [CrypRAT.A] actively spreading in the wild.

Memory Snapshot of the CrypRAT Infostealer ( Raw and Encrypted Data )

Infection Cycle:

The Malware adds the following file to the system:

Malware.exe
- %APPDATA%\roaming\system.exe

The Malware adds the following keys to the Windows registry:

HKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS
- 1
[HKEY_CURRENT_USER\Software\061c2e9167603fb87dafebfaad0bb29a]
- Keylogger data

Once the computer is compromised, the Malware installs following components to record the activity of the user via key logging and clipboard:

The Malware terminates the Self-Extractor process and installs the System.exe [Key logger module] on the target system.

The Malware saves raw data in the following registry:

The Malware checks if data is available for transfer to the command and control (C&C) server every 10 seconds.

The Malware uses base64 to encrypt its strings as well as its network communication, here an example:

Command and Control (C&C) Traffic

CrypRAT.A performs C&C communication over port 1177. The Malware transfers stolen data in Base64 format, here are some examples:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: CrypRAT.A (Trojan)