As we bring out three part series on RAT tools suffered upon our friends at Hazrat Supply we must visit the centerpiece of it all. The big dog in this fight is indeed the bybtt.cc3 file (Jake suspected this), Backdoor:Win32/Zegost.B. The file is unquestionably a PEDLL but renamed a .cc3 to hide on system like a CueCards Professional database file.
more here...............https://isc.sans.edu/diary/Keeping+the+RATs+out%3A+the+trap+is+sprung+-+Part+3/18415
more here...............https://isc.sans.edu/diary/Keeping+the+RATs+out%3A+the+trap+is+sprung+-+Part+3/18415