RAT Decoders

Python Decoders for Common Remote Access Trojans

View project on GitHub


This Repo will hold a collection of Python Scripts that will extract,decode and display the configuration settings from common rats.

Each of these decoders is running on http://malwareconfig.com and has additional features that are not included in the scripts.

If you wish to contribute please feel free to fork or email me on decoders@malwareconfig.com

You can read more about the project on my blog at http://techanarchy.net/2014/04/rat-decoders/

Current Rats

These are the currently supported RATS:

  • Adwind
  • Adzok
  • Albertino Advanced RAT
  • AlienSpy
  • Arcom
  • BlackNix
  • BlackShades
  • Blue Banana
  • Bozok
  • ClientMesh
  • Crimson
  • CyberGate
  • DarkComet
  • drakddoser
  • DarkRat
  • Gh0st
  • Graeme
  • HawkEye
  • Java Droppers
  • jRat
  • LostDoor
  • LuxNet
  • NanoCore
  • njRat
  • Pandora
  • PoisionIvy
  • PredatorPain
  • Punisher
  • ShadowTech
  • SpyGate
  • SmallNet
  • Tapaoux
  • Unrecom
  • Vantom
  • Vertex
  • VirusRat
  • Xena
  • xtreme

Upcoming RATS

  • NetWire
  • Plasma
  • Any Other Rats i can find.


All the decoders are written in Python 2.7 each decoder can run independently and each has their own requirements. For all existing decoders the only external modules required are:

  • pefile
  • pycrypto
  • pype32

PyCrypto for windows can be found on voidspace all others can be installed with pip or via git.


  • Each Script comes with its own -h option use it :) Typical Usage is
root@Viper:~/RATDecoders# python DarkComet.py
Usage: DarkComet.py inFile outConfig
DarkComet Rat Config Extractor

  --version   show program's version number and exit
  -h, --help  show this help message and exit

Some of the decoders have a recursive mode used with a -r and a dir name


There are a couple of projects that make use of these decoders. If you wish to integrate these in to your own let me know and i will help where i can. If you use it and i missed you also let me know.

Viper - https://github.com/botherder/viper

DC3-MWCP - https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP


  • There will be more decoders coming
  • Finish the Recursive mode on several of the Decoders


Full credit where credit is due.

Malware.lu for the initial xtreme Rat Writeup - https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) - http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html

Shawn Denbow and Jesse Herts for their paper here - http://www.matasano.com/research/PEST-CONTROL.pdf Saved me a lot of time