The project is a remote access trojan (RAT). The remote access RAT itself is modular: the client (victim) is in C++, the server is in C# and the frontend is in Angular. It also has a built-in Stealer in its functionality.
Features
Anti-Detection & Evasion
TimeStomping – Alters file timestamps to mimic legitimate binaries.
Unhook NTDLL – Restores a clean copy of NTDLL to bypass userland hooks.
Unhook NTDLL Hooks – Replaces hooked NTDLL with a fresh copy to evade AV/EDR instrumentation.
Command Line Spoofing – Masks malicious processes with benign command lines.
ETW Patcher – Hooks and disables ETW logging at runtime.
No-New Thread Execution – Executes shellcode without creating new threads.
Own VirtualAlloc (Module Stomping) – Executes shellcode within legitimate module memory.
Persistence & Privilege Escalation
Execute EXE As Admin – Uses UAC bypass to escalate privileges.
Task Creator – Creates scheduled tasks for persistence.
Privilege Escalation to SYSTEM – Token stealing via SYSTEM process handles.**
Information Gathering
List Processes – Enumerates running processes.
Enumeration – Gathers OS, disk, registry, and network info.
Security Detector – Checks for antivirus and monitoring tools.
Mapping Free Handles in Memory – Reuses handles from trusted processes to evade detection.
Rootkit
Userland Rootkit – Intercepts system API calls.
File Hider – Hides files and directories.
File Unhider – Restores hidden files.
Process Hider – Conceals malicious processes.
Registry Hider - Hide Registry keys and values
File Operations
File Upload – Sends files to C2 using HTTP fragmentation.
File Download – Retrieves files from C2.
File Explorer – Browses file system remotely.
Keylogging
Keylogger – Captures and exfiltrates keystrokes.
RDP & Credential Access
RDP Stealer – Extracts saved RDP credentials and session info.
ETW&Memory
ETW Patcher – Neutralizes ETW logging.
Mapping Free Handles in Memory – Leverages open handles from trusted processes.
download:
Features
Anti-Detection & Evasion
TimeStomping – Alters file timestamps to mimic legitimate binaries.
Unhook NTDLL – Restores a clean copy of NTDLL to bypass userland hooks.
Unhook NTDLL Hooks – Replaces hooked NTDLL with a fresh copy to evade AV/EDR instrumentation.
Command Line Spoofing – Masks malicious processes with benign command lines.
ETW Patcher – Hooks and disables ETW logging at runtime.
No-New Thread Execution – Executes shellcode without creating new threads.
Own VirtualAlloc (Module Stomping) – Executes shellcode within legitimate module memory.
Persistence & Privilege Escalation
Execute EXE As Admin – Uses UAC bypass to escalate privileges.
Task Creator – Creates scheduled tasks for persistence.
Privilege Escalation to SYSTEM – Token stealing via SYSTEM process handles.**
Information Gathering
List Processes – Enumerates running processes.
Enumeration – Gathers OS, disk, registry, and network info.
Security Detector – Checks for antivirus and monitoring tools.
Mapping Free Handles in Memory – Reuses handles from trusted processes to evade detection.
Rootkit
Userland Rootkit – Intercepts system API calls.
File Hider – Hides files and directories.
File Unhider – Restores hidden files.
Process Hider – Conceals malicious processes.
Registry Hider - Hide Registry keys and values
File Operations
File Upload – Sends files to C2 using HTTP fragmentation.
File Download – Retrieves files from C2.
File Explorer – Browses file system remotely.
Keylogging
Keylogger – Captures and exfiltrates keystrokes.
RDP & Credential Access
RDP Stealer – Extracts saved RDP credentials and session info.
ETW&Memory
ETW Patcher – Neutralizes ETW logging.
Mapping Free Handles in Memory – Leverages open handles from trusted processes.
download:
