Home

Awesome

Remote-Access-Trojan-Database

All samples in this database can only used for research purpose.

the status of all RAT families including programming language used to write RAT stubs, the debut year of RAT families and source to determine the debut year.

The forth column represents the source based on which we determined the year, which could be divided into 3 types: public online documents, compilation timestamp, and the About description. For the About information, some RAT developers leave the change logs with timestamp in the About window of RATs' control panels, which is useful to identify the debut year.

NameProgramming languageThe debut yearSource to determine the year
Sub-7Delphi1999https://bit.ly/2p5xjsh
NuclearDelphi2003https://bit.ly/2qMzbGH
TurkojanDelphi2003https://symc.ly/2qJXfdb
Poison IvyMASM322007About
DarkCometDelphi2008https://bit.ly/367tAe6
SpycronicDelphi2010Compilation Timestamp
Spy-NetDelphi2010https://symc.ly/32N7lYR
CyberGateDelphi2010https://bit.ly/33Y0NXA
XtremeDelphi2010https://bit.ly/2NdavQj
Imperium.NET2011Compilation Timestamp
NovaLiteDelphi2011About
NjRAT.NET2012https://bit.ly/2p5HsFl
D-RAT.NET2012Compilation Timestamp
BozokDelphi2012https://bit.ly/2MLPiwL
GreameDelphi2012https://bit.ly/2PlBhrq
FrutasJAVA2012https://bit.ly/2p5x40l
CrimsonJAVA2012https://bit.ly/32OkuB5
jSpyJAVA2012https://bit.ly/2NgAAga
Imminent Monitor.NET2013https://bit.ly/2NdGnmL
NanoCore.NET2013https://bit.ly/2BLna6w
SpyGate.NET2013https://bit.ly/32SyxFK
VirusRAT.NET2013https://bit.ly/31RtjZn
PandoraDelphi2013https://symc.ly/36giQdN
DH RATDelphi2013https://bit.ly/31SIG49
AlusinusDelphi2013https://symc.ly/32O7Cen
njwormVisual Basic2013https://bit.ly/2BMu2R2
ucuLC++2013https://bit.ly/2PiXmXl
AdwindJAVA2013https://bit.ly/366qzef
BackConnect.NET2014Compilation Timestamp
BXRAT.NET2014Compilation Timestamp
CloudNet.NET2014https://bit.ly/2Pkgwwb
L6RAT.NET2014Compilation Timestamp
Mega.NET2014Compilation Timestamp
VanTom.NET2014https://bit.ly/2PkgwfF
XRAT.NET2014https://bit.ly/31Np94P
Proton.NET2014About
Quasar.NET2014https://bit.ly/2p5HeOv
OrionDelphi2014Compilation Timestamp
HAKOPSVisual Basic2014https://bit.ly/31NDu1h
Coringa.NET2015https://bit.ly/344tKRG
ctOs.NET2015Compilation Timestamp
KilerRAT.NET2015https://bit.ly/2oj7nZz
MLRAT.NET2015Compilation Timestamp
MQ5.NET2015Compilation Timestamp
Comet RAT.NET2015Compilation Timestamp
XenaDelphi2015https://bit.ly/2WfyfpS
Rabbit-HoleDelphi2015Compilation Timestamp
SkyWyderVisual Basic2015https://bit.ly/2pPMvtw
BabylonC++2015https://bit.ly/2p5DFI8
PupyPython2015https://bit.ly/2BPPLHL
NingaliNet.NET2016About
Revenge.NET2016https://bit.ly/31L7Xgf
MausJAVA2016https://bit.ly/31L7LO3

Explore possible implementation methods of each function from the above RAT families

KeyLoggerDescriptions & Key APIs
K1RATs invoke NtUserSetWindowsHookEx to register a callback function into a message hook chain of Windows. The callback function will receive a virtual key code when victims press the key.
K2RATs invoke NtUserGetAsyncKeyState in an endless loop to poll every key state.
K3RawInput is another channel to get user input. RATs invoke NtUserGetRawInputData to get input when a WM_INPUT message occurs.
RemoteCameraDescriptions & Key APIs
C1Leveraging DirectShow to access cameras. The DirectShow is a media-streaming architecture for Microsoft Windows. RATs first invoke CoCreateInstance and CreateClassEnumerator to find the video input device. Then they invoke several APIs (e.g., SetFiltergraph, SetOutputFileName, etc.) to do some configuration works. Finally, they invoke RenderStream to capture video.
C2VFW is another multimedia framework developed by Microsoft that allows Windows to play and encode digital video. RATs first invoke capGetDriverDescription to retrieve information of video input devices, and then invoke capCreateCaptureWindow to create a capture window. Finally, they invoke SendMessage to send messages to the created window to connect and capture cameras.
AudioRecordDescriptions & Key APIs
A1Leveraging the built-in Waveform-Audio interface to capture audio. RATs first invoke waveInOpen to open an audio input device. Then they invoke waveInPrepareHeader and waveInAddBuffer to prepare buffer blocks for audio data. Finally, they invoke waveInStart to start capturing audio.
A2The Media Control Interface (MCI) is another built-in interface which provides standard commands for recording multimedia devices. RATs first invoke mciSendCommand with a MCI_OPEN command to open an audio input device, and then invoke the same API mciSendCommand with another command MCI_RECORD to start audio recording.

TBC