RedPeanut – A Small RAT Developed In .Net Core 2 And Its Agent In .Net 3.5/4.0

RedPeanut is a small RAT evolved in .Net Core 2 and its agent in .Net 3.5 / 4.0. RedPeanut code execution is in response to shellcode generated with DonutCS. It is subsequently a hybrid, even if evolved in .Net it does now not depend only at the Assembly.Load. This will increase the detection floor, however permits us to follow and experiment with more than a few evasion ways associated with the dotnet surroundings, procedure control and injection. This habits will also be modified at rutime with the “controlled” and “unmanaged” instructions. If you have an interest in a .Net C2 Framework this is constant and can be utilized in an enagement, I counsel Covenant.
footprint each server facet and shopper facet. The houses that may be set are:

  • General

    • Delay (between requests)
    • ContentUri (url of dynamic content material eg. dll hta and so on.)
    • ConsumerAgent
    • Spawn (the method to create to accomplish crucial duties)
    • HtmlCovered (Enable coated channel)
    • GoalClass (Class to seek for symbol get better)
  • Http Get

    • ApiPath (comma separated listing of url es /news-list.jsp,/antani.php and so on.)
    • Server

      • Prepend
      • Append
      • Headers (title and worth pair for http headers)
    • Client

      • Headers    
  • Http Post

    • ApiPath (comma separated listing of url es /news-list.jsp,/antani.php and so on.)
    • Param (the title of the put up request payload parameter)
    • Mask (structure for decoding the important thing price pair eg {0}={1}) (want extra paintings…)
    • Server

      • Prepend
      • Append
      • Headers (title and worth pair for http headers)
    • Client

      • Headers

Domain Fronting
To allow the area fronting give a boost to it is vital to worth the “Host” header within the shopper segment, each put up and get (exemplified within the default profile 2)

The PowerShellExecuter module permits you to execute oneliner instructions or recordsdata in a runspace with AMSI bypass, Logging bypass and PowerView already loaded.


  • Exe
  • Dll
  • PowerShell
  • Hta (vbs,powershell)
  • InstallUtil
  • MSBuild
  • MacroVba

Local modules

  • EvilClippy

Agent Tasks

  • Upload
  • DownLoad
  • SharpWeb
  • SharpWmi
  • SharpUp
  • UACBypass Token Duplication
  • SharpDPAPIVaults
  • SharpDPAPITriage
  • SharpDPAPIRdg
  • SharpDPAPIMasterKeys
  • SharpDPAPIMachineVaults
  • SharpDPAPIMachineTriage
  • SharpDPAPIMachineMasterKeys
  • SharpDPAPIMachineCredentials
  • SharpDPAPICredentials
  • SharpDPAPIBackupKey
  • Seatbelt
  • SafetyKatz
  • RubeusTriage
  • RubeusTgtDeleg
  • RubeusS4U
  • RubeusRenew
  • RubeusPurge
  • RubeusPtt
  • RubeusMonitor
  • RubeusKlist
  • RubeusKerberoast
  • RubeusHash
  • RubeusHarvest
  • RubeusDump
  • RubeusDescribe
  • RubeusCreateNetBest
  • RubeusChangePw
  • RubeusASREPRoast
  • RubeusAskTgt
  • SharpCOM
  • SharpGPOAddUserRights
  • SharpGPOAddStartupScript
  • SharpGPOAddLocalAdmin
  • SharpGPOAddImmediateTask
  • PowerShellExecuter
  • LatteralMSBuild
  • SharpPsExec
  • SharpAdidnsdump
  • PPIDAgent
  • SpawnAsAgent
  • SpawnShellcode
  • SpawnAsShellcode
  • SharpMiniDump


  • Autorun
  • Startup
  • WMI
  • CRL

Starting with model 0.3.0 RedPeanutAgent helps the blockdlls command. With this selection enabled, kid processes which can be created to accomplish duties in unmanaged mode are created with the characteristic PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON. This characteristic prevents the method of loading dlls that don’t seem to be signed by way of Microsoft, this may just offer protection to our duties from AV and EDR hooking ways.

Direct Sysstem Call and Dynamic Dll Loading
RedPeanutAgent makes use of Dynamic Dll loading to averting the use of of suspicious Dll Imports. Credits for Dynamic Dll Loading is going to @TheRealWover, @cobbr_io and @FuzzySec for his or her paintings in SharpSploit.
Some AV and EDR distributors used hooking option to stay monitor of actions. To steer clear of the use of hooked syscall RedPeanutAgent makes use of direct syscall, auto injecting the essential code. Credits for Direct Syscall is going to @Cneelis

To run RedPeanut you want to have dotnet put in. To set up dotnet on Kali:

wget -qO- | gpg --dearmor > microsoft.asc.gpg
mv microsoft.asc.gpg /and so on/apt/depended on.gpg.d/
wget -q
mv prod.listing /and so on/apt/assets.listing.d/microsoft-prod.listing
chown root:root /and so on/apt/depended on.gpg.d/microsoft.asc.gpg
chown root:root /and so on/apt/assets.listing.d/microsoft-prod.listing

apt-get set up apt-transport-https
apt-get replace
apt-get set up dotnet-sdk-2.1
git clone --recursive

For the coated channel capability it is vital to put in the libgdiplus library, subsequently:
For linux customers:

apt-get set up -y libgdiplus

For OSx

brew set up mono-libgdiplus

Assembly signing key era

C:Program Files (x86)Microsoft Visual Studio2017Neighborhood>sn.exe -k 4096 key.snk

Than reproduction key.snk in Workspace/KeyFile

[email protected]:~# cd RedPanut
[email protected]:~/RedPeanut# dotnet run
Using release settings from /root/Projects/RedPeanut/Properties/launchSettings.json...
Enter password to encrypt serverkey:

____[email protected]b4rtik
________________________________________________________________________ __

[*] No profile avalilable, growing new one...
[RP] >

Shellcode generator
DonutCS is a shellcode era device that creates position-independant shellcode payloads from .NET Assemblies. This shellcode could also be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an access level (akin to Program.Main), it produces position-independent shellcode that so much it from reminiscence. The .NET Assembly can both be staged from a URL or stageless by way of being embedded immediately within the shellcode.

CLR Persistence
The CLR patience method used to be offered for the primary time on this put up by way of @Am0nsec. The method is composed in wearing out the application area supervisor hooking. As described within the put up, the meeting to hold out hooking is essential which is to be had within the GAC. An meeting for use from the GAC should be strong-named and then signed with a key. The CLR patience module wishes a key so that you can signal the assemblies, which will also be generated with the sn.exe device as follows:

** Visual Studio 2019 Developer Command Prompt v15.9.3
** Copyright (c) 2019 Microsoft Corporation

C:Program Files (x86)Microsoft Visual Studio2017Neighborhood>sn.exe -k 4096 key.snk

Copy the important thing.snk document to Workspace/KeyFile folder. This document might be used to signal the meeting for patience.

Tools updating
Some of the well known equipment found in RedPeanut such because the GhostPack equipment are wrapped in complete and completed at the shopper facet. To replace the equipment, as an example SeatBelt, with out updating all the repository is essential: Clone the Seatbelt repository, rename the “Main” way in “Execute”, insert the general public modifier and recompile as dll. The dll should be compressed and encoded in Base64 with the playstation RastaMouse’s script Get-CompressedShellcode.ps1


Download RedPeanut