Analysis Report: AlmondRAT (stdrcl.exe)
1. Initial Triage
My starting question was simple: what kind of file is this? I found a PE32 executable targeting 32-bit Windows, identified by file as a Mono/.NET assembly. At 15,360 bytes it is unusually small, a common trait of purpose-built RAT clients that offload complexity to the server side.
I then ran peframe to check metadata and strings. The version info block immediately stood out: the file masquerades as "Host Troubleshoot Service" published by "Microsoft", with version 21.0.1320.0 and copyright © 2022. The internal name is stdrcl.exe and the PDB path is:
C:\Users\Window 10 C\Desktop\COMPLETED WORK\stdrcl\stdrcl\obj\Release\stdrcl.pdb
This is almost certainly the developer's own machine. The desktop folder name "COMPLETED WORK" suggests the sample was compiled shortly before distribution. The PDB path also gives us a username hint: "Window 10 C", likely a nickname or alias.
peframe also flagged XOR and network dns behaviors, and crypto features, along with a string saebamini.com appearing directly in plaintext next to the word SingletonApp. This turned out to be the mutex name (see §3).
2. Decompilation
Since this is a .NET assembly, I decompiled it directly with ilspy (v9.1.0). The tool returned clean, fully readable C# source with no obfuscation at the IL level, the entire RAT logic is in four classes: StateObject, Program, CommWithServer, SystemAttribute, and CipherText.
The only obfuscation is string encryption: all sensitive string literals (C2 IP, command keywords, registry path, shell path) are stored as AES-CBC ciphertexts and decrypted at runtime via a CipherText.Decrypt() method.
3. String Encryption Scheme
The CipherText class contains the full decryption logic. I read it directly from the decompiled source:
string password = "s@1_oO7";
byte[] salt = { 73, 118, 97, 110, 32, 77, 101, 100, 118, 101, 100, 101, 118 };
// salt == "Ivan Medvedev" in ASCII
Rfc2898DeriveBytes kdf = new Rfc2898DeriveBytes(password, salt); // 1000 iterations, HMAC-SHA1
aes.Key = kdf.GetBytes(32); // AES-256 key
aes.IV = kdf.GetBytes(16); // IV derived from same PBKDF2 stream
// Output decoded as UTF-16 LE (Encoding.Unicode)
Parameters:
- Password: s@1_oO7
- Salt: Ivan Medvedev, presumably the author's name, hardcoded as the salt
- KDF: PBKDF2-HMAC-SHA1, 1000 iterations (Rfc2898DeriveBytes default)
- Key: 32 bytes (AES-256)
- IV: next 16 bytes from the same PBKDF2 stream
- Mode: AES-CBC
- Plaintext encoding: UTF-16 LE
Because the key and IV are both fixed (derived deterministically from a hardcoded password and salt), every ciphertext can be decrypted statically. I wrote a reusable Python decryption script decrypt_almondrat.py.
Decrypted Strings
Running the script against all embedded ciphertexts produced:
| Role | Plaintext |
|---|---|
| C2 IP address | 64.44.131.109 |
| Heartbeat command | REFRESH |
| Drive listing command | DRIVE |
| Directory listing prefix | DIR* |
| File download prefix | DOWNLOAD* |
| File upload prefix | UPLOAD* |
| File delete prefix | DELETE* |
| Shell command prefix | CMD~ |
| CD keyword (variant 1) | CD |
| CD keyword (variant 2) | /C CD |
| Shell executable | C:\Windows\System32\cmd.exe |
| OS version registry key | SOFTWARE\Microsoft\Windows NT\CurrentVersion |
4. Execution Flow
4.1 Startup & Singleton
Main() creates a named mutex:
saebamini.com SingletonApp
If another instance already holds this mutex, the process exits immediately. This prevents multiple concurrent infections. saebamini[.]com appears to be the operator's domain, it is also present as a plaintext string in the binary, not encrypted. After the mutex check, Main() enters an infinite loop calling StartClient(), so the RAT reconnects automatically after any disconnection or crash.
4.2 Initial Beacon
StartClient() connects via TCP to 64.44.131[.]109 on port 33638. On failure it sleeps 20 seconds and retries indefinitely. Once connected, it immediately sends a registration beacon:
<UserDomainName>*<MAC Address>*<OS Name>
- UserDomainName: from
Environment.UserDomainName - MAC address: first non-virtual, non-pseudo physical interface that is
Up - OS name: read from
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
This beacon is sent as UTF-16 LE over raw TCP. The MAC address is used as a unique victim identifier on the C2 side.
4.3 Command Loop
After the beacon, CommWithServer.StartCommWithServer() enters a loop receiving commands. The receive timeout is randomized between 20–30 seconds on each iteration. Commands are plain UTF-16 LE strings. The full command set is documented below.
5. Command Reference
REFRESH
Purpose: Heartbeat / keepalive ping.
Response: OK
DRIVE
Purpose: Enumerate all ready drives.
Response: Pipe-delimited list of entries, each formatted as:
<DriveName>*<DriveType>*<TotalSizeBytes>|
DIR*<path>
Purpose: List directory contents at <path>.
Response: Streaming batches of 5 entries at a time. Each batch is sent, then the RAT waits for OK before sending the next. Entries use two formats:
- Directory: PATH><full_path>|<ddMMyyyy|HHmmss>?
- File: FILE><full_path>|<ddMMyyyy|HHmmss>|<size_bytes>?
Batch streaming continues until all entries are sent, then terminates with *|END|*. If the path is inaccessible or does not exist, sends *|END|* immediately.
DOWNLOAD*<path>
Purpose: Exfiltrate a file from the victim to the C2.
Protocol:
1. RAT sends file size (as string).
2. C2 replies OK.
3. RAT sends raw file bytes.
If the file is not readable, sends NOTREADABLE. Adds a random sleep of 5–15 seconds after the transfer.
UPLOAD*<path>
Purpose: Drop a file from the C2 onto the victim at <path>.
Protocol:
1. C2 sends file size (as string).
2. RAT replies OK.
3. C2 streams file bytes; RAT accumulates them.
4. If received size matches expected, RAT writes the file and responds SUCCESS. If the destination path already exists, the file is renamed with a yyyyMMdd-hhmmss_ prefix to avoid overwriting.
5. On size mismatch, responds NOTOK.
DELETE*<path>
Purpose: Delete a file at <path>.
Response: OK on success, or the exception message on failure.
CMD~<command>
Purpose: Shell execution via C:\Windows\System32\cmd.exe.
Special sub-cases (checked against array8[1].ToUpper()):
- If command is CD or /C CD and a third ~-delimited argument is provided: changes the current working directory to that argument, responds with the new CWD.
- If command is CD or /C CD with no path argument: responds with the current CWD (no directory change).
- If command is OK: responds with the current CWD.
- All other values: passed directly as arguments to cmd.exe with stdout/stderr redirected, no window. Output returned to C2. If output is empty, sends [Command Executed Successfully].
6. Notable Observations
- No persistence mechanism is visible in this sample. The RAT does not install itself, create registry run keys, or drop files. Either persistence is handled by a dropper, or the operator establishes persistence manually via the
CMD~orUPLOAD*channels. - No encryption on the wire: all C2 communication is plaintext UTF-16 LE over raw TCP. Command keywords are decrypted once at startup and compared in plaintext.
- Single hardcoded C2: IP
64.44.131[.]109:33638. No domain fallback, no DGA, no secondary C2. - Salt = author name: Using "Ivan Medvedev" as the PBKDF2 salt strongly suggests the developer either used a tutorial or template featuring this name, or it is the developer's own name.
- Saebamini[.]com: This domain appears as part of the mutex name and was also detected as a string by automated IOC extraction. It may be the author's personal site, used here as a unique mutex namespace.
7. IOCs
| Type | Value |
|---|---|
| SHA256 | 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396 |
| SHA1 | bcc9e35c28430264575831e851182eca7219116f |
| MD5 | 71e1cfb5e5a515cea2c3537b78325abf |
| C2 IP | 64.44.131[.]109 |
| C2 Port | 33638 |
| Mutex | saebamini[.]com SingletonApp |
| Domain (in mutex) | saebamini[.]com |
| Internal name | stdrcl.exe |
| PDB path | C:\Users\Window 10 C\Desktop\COMPLETED WORK\stdrcl\stdrcl\obj\Release\stdrcl.pdb |
| Decryption password | s@1_oO7 |
| Decryption salt | Ivan Medvedev |
8. Threat Intelligence
8.1 Malware Family
This sample is AlmondRAT — a .NET RAT publicly documented by SECUINFRA in July 2022 in their report "Whatever floats your Boat – Bitter APT continues to target Bangladesh". The family is catalogued on Malpedia under win.almondrat. VirusTotal engines detect it generically as HEUR:Trojan.MSIL.Agent.gen (Kaspersky), Trojan:Win32/Casdet!rfn (Microsoft), and Trojan Horse (Symantec) — 53/73 detections at time of lookup.
8.2 Attribution: Bitter APT
Based on SECUINFRA's published research, AlmondRAT is attributed to Bitter APT (also tracked as BITTER, T-APT-17, APT-C-08), a suspected South Asian threat actor with a history of targeting Pakistan, Bangladesh, and other regional governments and military entities. The 2022 campaign used spearphishing emails themed around the Bangladeshi Navy to deliver document-based droppers that ultimately loaded this RAT.
Attribution confidence for this specific sample to Bitter APT is medium: the infrastructure overlap (same C2 IP, same binary), the mutex string, and the published research are consistent, but I am treating the published attribution as hypothesis rather than fact per standard analytical practice.
8.3 C2 Infrastructure
The hardcoded C2 64.44.131[.]109 is hosted under Nexeon Technologies (ASN 20278, US). It received 5 malicious / 1 suspicious flags on VirusTotal out of 93 engines. VT records the URL http://64[.]44[.]131[.]109:33638/ as having been scanned on 2022-07-10, placing the C2 in active use around the time of the original campaign.
The IP has five known communicating files:
- Two stdrcl.exe variants (first seen May and July 2022 — the original campaign period)
- Two Client9.exe files (first seen January 26–27, 2026, detection ~45–50/77)
- One %TEMP%\DEFORM~1.EXE (first seen January 26, 2026, detection 50/77)
The January 2026 activity is notable: the same C2 IP is being contacted by new, highly-detected files (Client9.exe, DEFORM~1.EXE) not present in the 2022 campaign. This suggests one of two scenarios: (a) the original operators have reactivated the infrastructure with a new loader chain, or (b) another actor has reused the IP. The high detection ratios on the new files and the operational pattern (dropper → RAT client) lean toward scenario (a).
8.4 The saebamini[.]com Mutex
The mutex string saebamini[.]com SingletonApp uses a domain that resolves to GitHub Pages (185.199.x.153), consistent with a personal developer or researcher site registered in 2011 and maintained since. The domain itself has zero malicious detections. The SECUINFRA report explicitly calls out this domain as the operator's own identifier embedded in the mutex name. VT confirms the domain appears in that report as a reference, not as a network IOC.
Additionally, SECUINFRA noted a coding artifact: the mutex pattern was copied from a C# tutorial but incompletely — the code acquires the mutex with WaitOne(TimeSpan.Zero) but, in earlier versions, did not call ReleaseMutex. In this decompiled version the mutex is held via a using block wrapping the infinite loop, which is functionally equivalent to never releasing it while the process runs.
8.5 The Ivan Medvedev Salt
The PBKDF2 salt Ivan Medvedev (bytes {73,118,97,110,32,77,101,100,118,101,100,101,118}) is almost certainly lifted from a widely-circulated Stack Overflow / blog tutorial for AES-PBKDF2 encryption in C#. "Ivan Medvedev" was a Microsoft developer frequently cited in early .NET crypto examples. Using it verbatim as a static salt rather than generating a random one is a significant weakness and a useful signature.
9. Summary
AlmondRAT (stdrcl.exe, SHA256: 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396) is a compact, purpose-built .NET RAT that disguises itself as a Microsoft "Host Troubleshoot Service". It beacons to a hardcoded C2 (64.44.131[.]109:33638) with victim identification information (hostname, MAC address, OS version) and then awaits commands. The full command set ( REFRESH, DRIVE, DIR*, DOWNLOAD*, UPLOAD*, DELETE*, CMD~ ) provides complete remote file-system management and interactive shell access.
String obfuscation uses AES-256-CBC with a PBKDF2-derived key and IV, both fixed (hardcoded password s@1_oO7 and salt Ivan Medvedev). This provides no real protection once the scheme is identified, since all ciphertexts decrypt to the same set of plaintexts for any copy of this malware.
Published research (SECUINFRA, 2022) attributes AlmondRAT to Bitter APT targeting Bangladeshi military organizations. The C2 IP shows renewed activity in January 2026 through new dropper files (Client9.exe, DEFORM~1.EXE), suggesting the infrastructure may still be operational.
10. IOCs
| Type | Value |
|---|---|
| SHA256 | 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396 |
| SHA1 | bcc9e35c28430264575831e851182eca7219116f |
| MD5 | 71e1cfb5e5a515cea2c3537b78325abf |
| C2 IP | 64.44.131[.]109 |
| C2 Port | 33638 |
| Mutex | saebamini[.]com SingletonApp |
| Domain (in mutex) | saebamini[.]com |
| Internal name | stdrcl.exe |
| PDB path | C:\Users\Window 10 C\Desktop\COMPLETED WORK\stdrcl\stdrcl\obj\Release\stdrcl.pdb |
| Decryption password | s@1_oO7 |
| Decryption salt | Ivan Medvedev |
| Related dropper | Client9.exe (seen 2026-01-26/27, ~45-50/77 VT detections) |
| Related dropper | %TEMP%\DEFORM~1.EXE (seen 2026-01-26, 50/77 VT detections) |
References
- SECUINFRA Falcon Team: Whatever floats your Boat – Bitter APT continues to target Bangladesh (2022-07-05)
- Malpedia: win.almondrat
- Cisco Talos: Bitter APT adds Bangladesh to their targets (2022-05)
- The Hacker News: Bitter APT Hackers Continue to Target Bangladesh Military Entities (2022-07)