Who’s Behind GoatRAT?

In this brief analysis I'll take a look at who's behind GoatRAT in terms of social media activity C&C servers and actual personally identifiable information.

Personally identifiable information:

hxxp://bit[.]ly/nubankmodulo

hxxp://goatrat[.]com/apks/apk20[.]apk

Sample MD5s:

6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7

9a8e85cf1bbd32c71f0efa42ffedf1a0

hxxp://api[.]goatrat[.]com:3008

Social Media:

hxxp://t[.]me/sickoDevz

hxxp://t[.]me/goatmalware

Web site: 

hxxp://criminalmw[.]fun

hxxp://clientes[.]criminalmw[.]fun

WhatsApp - +5511987457894

ba5833b49e2c6501f5bbce90b7948a85

Code Signing Certificate Signed By: Mr[.] Paxton Doyle PhD

SSL: 94ba7810ece1a1b227e6a5b509c8bb228e7285a1a5cee5f0ee26542783d4b09a

Sample C&C servers:

104[.]244[.]75[.]74

138[.]197[.]166[.]92

142[.]251[.]143[.]110

142[.]251[.]143[.]129

142[.]251[.]143[.]142

142[.]251[.]143[.]163

142[.]251[.]143[.]193

142[.]54[.]162[.]114

159[.]69[.]27[.]103

174[.]128[.]250[.]164

185[.]204[.]1[.]84

185[.]225[.]68[.]133

188[.]214[.]132[.]49

216[.]239[.]32[.]36

216[.]239[.]34[.]36

31[.]133[.]1[.]108

51[.]148[.]150[.]203

51[.]81[.]93[.]37

80[.]241[.]214[.]102 …

amp analysis api apk certificate code code signing fun goatrat information media personally identifiable information sample servers signing social social media ssl terms web whatsapp