Who’s Behind GoatRAT?

In this brief analysis I’ll take a look at who’s behind GoatRAT in terms of social media activity C&C servers and actual personally identifiable information.

Personally identifiable information:

hxxp://bit[.]ly/nubankmodulo

hxxp://goatrat[.]com/apks/apk20[.]apk

Sample MD5s:

6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7

9a8e85cf1bbd32c71f0efa42ffedf1a0

hxxp://api[.]goatrat[.]com:3008

Social Media:

hxxp://t[.]me/sickoDevz

hxxp://t[.]me/goatmalware

Web site: 

hxxp://criminalmw[.]fun

hxxp://clientes[.]criminalmw[.]fun

WhatsApp – +5511987457894

ba5833b49e2c6501f5bbce90b7948a85

Code Signing Certificate Signed By: Mr[.] Paxton Doyle PhD

SSL: 94ba7810ece1a1b227e6a5b509c8bb228e7285a1a5cee5f0ee26542783d4b09a

Sample C&C servers:

104[.]244[.]75[.]74

138[.]197[.]166[.]92

142[.]251[.]143[.]110

142[.]251[.]143[.]129

142[.]251[.]143[.]142

142[.]251[.]143[.]163

142[.]251[.]143[.]193

142[.]54[.]162[.]114

159[.]69[.]27[.]103

174[.]128[.]250[.]164

185[.]204[.]1[.]84

185[.]225[.]68[.]133

188[.]214[.]132[.]49

216[.]239[.]32[.]36

216[.]239[.]34[.]36

31[.]133[.]1[.]108

51[.]148[.]150[.]203

51[.]81[.]93[.]37

80[.]241[.]214[.]102

82[.]128[.]229[.]109

93[.]115[.]91[.]66

95[.]216[.]209[.]129

Sample C&C servers:

tgutjgo6kvqdst5ock[.]com

olbvu5pv2apkc57zfeg[.]com

hxxp://h4j7ewfdpwfzg6g6[.]com – 185[.]177[.]206[.]72

hxxp://3ajzfjsxou4yzn3jw552dg[.]com – 87[.]236[.]195[.]198

hxxp://f53ia7lqhbg54y7xd7ydp3[.]com – 178[.]63[.]41[.]183

hxxp://lblhluz7or[.]com – 178[.]63[.]41[.]183

hxxp://inylslu7vfq24vb[.]com – 185[.]177[.]206[.]72

51[.]81[.]56[.]136

89[.]163[.]128[.]25

81[.]7[.]16[.]177

81[.]170[.]128[.]221

109[.]70[.]100[.]71

158[.]255[.]1[.]112

j6jvmwqorhq4xpjkcy26d3i4au6pz6nyroqxreefmnl7yxgcruxzkmyd[.]onion

Sample Photos:

*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog authored by Dancho Danchev. Read the original post at: https://ddanchev.blogspot.com/2024/01/whos-behind-goatrat.html