v3.2.3

What's New?

• Raw data can now be passed into the primary config parser, alongside file paths (thanks @doomedraven!)

v3.2.2

What's New?

• Adds support for AES CFB (thank you @doomedraven!)

v3.1.8

What's Changed:

• Under-the-hood adjustments to the packaging workflow via GitHub actions

v3.1.7

v3.1.7

v3.1.5

What's New:

• Rearranges the order of operations for parsing salt and key values in AES CBC to ensure the correct values are parsed in the case that a payload has multiple initialization points

v3.1.4

Release version 3.1.4

v3.1.3

One big change with this release: RAT King Parser is now available to install from PyPI!

Thanks to @doomedraven for the help along the way! <3

v3.1.1

This release implements the following bug fixes:

• The AES CBC parser now accounts for multiple salt values being present in a payload - the code will now validate which salt value is actually used for encryption vs. which salt values are simply present in the payload, prior to attempting to parse the payload

v3.1.0

What's Changed

As of v3.1.0, RAT King Parser supports additional, optional wrapper extractors for integration with some external services.

The first of these wrappers is:

• MACO: The Canadian Centre for Cyber Security's malware config extractor framework, which allows RAT King Parser to be integrated with MACO-compatible tools like AssemblyLine (though RAT King Parser is already integrated in AssemblyLine's configuration extraction service without need for further configuration)

In order to utilize these extractors, the optional dependencies for a particular extractor must be installed.

This can be completed with pip by referencing the specific optional dependency group to install; For example:

pip install "rat_king_parser[maco] @ git+https://github.com/jeFF0Falltrades/rat_king_parser.git"

Aside from these updates, RAT King Parser was also integrated into the latest release of CAPEv2, thanks to a lot of hard work and review of the CAPEv2 team.

Huge thanks to doomedraven and cccs-rs for your help in the integrations with both CAPEv2 and AssemblyLine!

v3.0.0

RAT King Parser v3.0.0

You may be thinking: Did I completely miss versions 1 and 2?

Well, no - After maintaining this repository as more of an informal work in progress for some time, the RAT King Parser has now gone through a complete rewrite and I've decided to start versioning it formally.

Because it had already been through two iterations of significant refactoring, I've dubbed this first formal release as v3.0.0.

So what's new?!

• A complete refactor of the code to make the tool easier to maintain and improve, as well as remediating several bugs
• RKP can now be installed by pip and run as a utility module
• Additional support has been added for DLL variants of QuasarRAT that were previously not able to be parsed
• The primary configuration parser and several decryptors were rewritten to be more resilient to changes between different payloads of the same family
• Several operations were optimized throughout the codebase

As always, I'm sure there are more improvements to be made: Please continue to submit Issues and feedback here, or get ahold of me on Mastodon or Reddit.

I hope you enjoy!