Skip to content

Hide Navigation Hide TOC

AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5)

AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)

Cluster A Galaxy A Cluster B Galaxy B Level
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware Encrypted Channel - T1521 (ed2c05a1-4f81-4d97-9e1b-aff01c34ae84) Attack Pattern 1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 1
Boot or Logon Initialization Scripts - T1398 (46d818a5-67fa-4585-a7fc-ecf15376c8d5) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
Broadcast Receivers - T1624.001 (3775a580-a1d1-46c4-8147-c614a715f2e9) Attack Pattern AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware 1
AhRat - S1095 (24c8f6db-71e0-41ef-a1dc-83399a5b17e5) Malware Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern 1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 2
Broadcast Receivers - T1624.001 (3775a580-a1d1-46c4-8147-c614a715f2e9) Attack Pattern Event Triggered Execution - T1624 (d446b9f0-06a9-4a8d-97ee-298cfee84f14) Attack Pattern 2