How To: Trace RATs

1. ██▀███ ██▓ ██▓███
2. ▓██ ▒ ██▒ ▓██▒ ▓██░ ██▒
3. ▓██ ░▄█ ▒ ▒██▒ ▓██░ ██▓▒
4. ▒██▀▀█▄ ░██░ ▒██▄█▓▒ ▒
5. ░██▓ ▒██▒ ░██░ ▒██▒ ░ ░
6. ░ ▒▓ ░▒▓░ ░▓ ▒▓▒░ ░ ░
7. ░▒ ░ ▒░ ▒ ░ ░▒ ░
8. ░░ ░ ▒ ░ ░░
9. ░ ░
10. [#] ~ r1p's guide on How To: Trace a RAT ~ [#]
11. *PLEASE NOTE* : there are otherways on how to do this but this is the most simple way.
12.  
13. If you are reading this you most likely don't know how to trace a rat. In this guide I will cover: How to protect yourself from RATs, How to "Trace" a RAT and what to do when you have gotten the owners IP/DNS.
14.  
15. Okay so before i start real quick, you will need these things:
16. -- VM or your own PC (if you use your own pc then you have guts.)
17. -- Sandboxie
18. -- Wireshark
19. -- A brain
20. -- Basic computer knowledge
21.  
22. 1. Download a RAT (do not open it)
23. 2. Install Sandboxie from here: https://www.sandboxie.com/
24. 3. Install Wireshark from here: https://www.wireshark.org/
25. 4. Scan the RAT in VirusTotal: https://www.virustotal.com/gui/
26. 5. If it says a proper word in the detections like "Noancore" its a Nanocore RAT etc, lookup the names yourself
27. 6. Open up wireshark and connect it to your wifi settings/adapter
28. 7. Start pulling all the traffic
29. 8. RIGHT CLICK! the RAT and press "Open in Sandboxie"
30. 9. You will see that more traffic has rushed into your wireshark, that is GOOD
31. 10. Goto the filter bar and type "dns" and press enter. It will show every dns running on your network
32. 11. Find a suspicious looking DNS like "hacker4rat.ddns.net" they all have different addresses so yeah
33. 12. Next to the DNS will be an IP Address, now if the owner of the RAT is retarded it will be their home connection otherwise its not
34.  
35. [#] ~ Congrats you found the IP Address, now moving onto what to do with that information ~ [#]
36. 1. Firstly copy and paste the IP Address into https://www.ip-tracker.org/
37. 2. Find the ISP and search for it in your browser, if it says the company is an ISP it is their home address otherwise its a VPN
38. 3. Find what DNS Provider they are using, most people use No-Ip so try looking for a DNS address that matches the owners from there
39. 4. Once you have found the DNS Provider report the DNS for "Hosting Malicious Apps"
40. 5. You have now taken down a Ratter! :)
41.  
42. [#] ~ Now I will be telling you how to protect yourself from RATs ~ [#]
43. 1. Install an anti-virus like Avast or Eset
44. 2. When downloading things off the internet always scan the DIRECT exe in VirusTotal, DO NOT just scan the .RAR OR FOLDER
45. 3. If the VirusTotal comes up with things like "Trojan\:tyHJ57Y" it is obfuscated and is most likely a virus
46. 4. If you downloaded it off of a forum like HackForums or Nulled.to check the users reputation score if its negative it is malware
47. There you go! You have now protected yourself from RATs.
48. Please share this pastebin with others so they can also protect themselves.
49.  
50. #SuicideSec