InnaputRAT (Malware Family)

InnaputRAT

VTCollection
InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.
References

2014-08-07 ⋅ NetScout ⋅ ASERT Team
Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files
InnaputRAT
Yara Rules

[TLP:WHITE] win_innaput_rat_auto (20260504 | Detects win.innaput_rat.)
rule win_innaput_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.innaput_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 8d85c8fdffff 50 ffd6 85c0 }
            // n = 5, score = 500
            //   68????????           |                     
            //   8d85c8fdffff         | lea                 eax, [ebp - 0x238]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_1 = { 2bf1 8a08 884c0616 40 84c9 75f5 }
            // n = 6, score = 500
            //   2bf1                 | sub                 esi, ecx
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   884c0616             | mov                 byte ptr [esi + eax + 0x16], cl
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f5                 | jne                 0xfffffff7

        $sequence_2 = { 8bec 56 33f6 46 eb1a 68c8000000 6a00 }
            // n = 7, score = 500
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   eb1a                 | jmp                 0x1c
            //   68c8000000           | push                0xc8
            //   6a00                 | push                0

        $sequence_3 = { ff15???????? 85c0 750c ffb71c060000 ff15???????? 57 e8???????? }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   ffb71c060000         | push                dword ptr [edi + 0x61c]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_4 = { 740f 8b4d08 e8???????? 3b450c 72d9 }
            // n = 5, score = 500
            //   740f                 | je                  0x11
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   72d9                 | jb                  0xffffffdb

        $sequence_5 = { 8a08 884c0616 40 84c9 }
            // n = 4, score = 500
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   884c0616             | mov                 byte ptr [esi + eax + 0x16], cl
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl

        $sequence_6 = { ff15???????? 85c0 7413 3bc6 740f 8b4d08 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   3bc6                 | cmp                 eax, esi
            //   740f                 | je                  0x11
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_7 = { 8bd0 8bce 2bca 8d5134 }
            // n = 4, score = 500
            //   8bd0                 | mov                 edx, eax
            //   8bce                 | mov                 ecx, esi
            //   2bca                 | sub                 ecx, edx
            //   8d5134               | lea                 edx, [ecx + 0x34]

        $sequence_8 = { 751b 53 53 53 6a06 6a01 6a02 }
            // n = 7, score = 500
            //   751b                 | jne                 0x1d
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a06                 | push                6
            //   6a01                 | push                1
            //   6a02                 | push                2

        $sequence_9 = { 85c0 750c ffb71c060000 ff15???????? 57 e8???????? }
            // n = 6, score = 500
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   ffb71c060000         | push                dword ptr [edi + 0x61c]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 73728
}
Download all Yara Rules
InnaputRAT Propose Change

References

Yara Rules

InnaputRAT
