ElectroRAT

ElectroRAT is used to steal cryptocurrency from wallets.

ATT&CK Techniques

Name	Use
Execution::User Execution (T1204)	ElectroRat makes the user execute the malware. [1]
Command and Control::Web Service (T1102)	EletroRat uses HTTP for C&C and exfiltration. [1]
Execution::Command and Scripting Interpreter (T1059)	ElectroRat uses Python to embed additional binares. [1]
Discovery::System Information Discovery (T1082)	ElectroRat detects the OS to determine which plugins to download. [1]
Persistence::Boot or Logon Autostart Execution (T1547)	ElectroRat enables auto start on bootup. [1]

Name	Use
Collection::Input Capture (E1056)	ElectroRat monitors keyboard and mouse activity to determine whether the machine is in use. [1]
Discovery::File and Directory Discovery (E1083)	ElectroRat looks for wallets to steal cryptocurrency [1]

Name	Use
Execution::Install Additional Program (B0023)	Upon execution, ElectroRat downloads additional executables. [1]
Collection::Cryptocurrency (B0028)	ElectroRat examines the disk for cryptocurrency addresses and keys to steal money from a wallet. It compromises multiple currencies, including Monaro, Doegecoin, Ethereum, Litecoin, and Bitcoin. [1]
Command and Control::C2 Communication (B0030)	ElectroRat communicates to a Pastebin site via HTTP. [1]

Command-and-Control Servers

SHA256 Hashes