sectoprat | 24972cecda20154015c31f4a8820764cbfa958d2968ab2b4a7c9e3e43510b888

General

Target

78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
Size

1.0MB
MD5

78ea47b51ee8f1ae3dc5b98e56c43d3f
SHA1

99e64c6a730642430ef80215393adbfba11122b6
SHA256

24972cecda20154015c31f4a8820764cbfa958d2968ab2b4a7c9e3e43510b888
SHA512

7a773021c6c02e5905ff1e3e99b3fb6cbfd5b6617ff831aea5b4cdf416e3d044e55895a5bf1e6fe5da3e3d6272fa82f7b88aaf592d6d61d94477e927a65fb19b

Score

10^/10

sectoprat evasion rat suricata trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/568-62-0x0000000000400000-0x00000000004A2000-memory.dmp	family_sectoprat
behavioral1/memory/568-63-0x0000000000400000-0x00000000004A2000-memory.dmp	family_sectoprat
behavioral1/memory/568-64-0x0000000000400000-0x00000000004A2000-memory.dmp	family_sectoprat
behavioral1/memory/568-65-0x000000000049C29E-mapping.dmp	family_sectoprat
behavioral1/memory/568-67-0x0000000000400000-0x00000000004A2000-memory.dmp	family_sectoprat
behavioral1/memory/568-69-0x0000000000400000-0x00000000004A2000-memory.dmp	family_sectoprat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

jsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jsc.exe

suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

78ea47b51ee8f1ae3dc5b98e56c43d3f.exe

description pid process target process

PID 2024 set thread context of 568 2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe jsc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

78ea47b51ee8f1ae3dc5b98e56c43d3f.exe

pid process

2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
2024 78ea47b51ee8f1ae3dc5b98e56c43d3f.exe

flow	ioc
9	eth0.me

description	pid	process	target process
PID 2024 set thread context of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe

pid	process
2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

78ea47b51ee8f1ae3dc5b98e56c43d3f.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
Token: SeRestorePrivilege	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
Token: SeBackupPrivilege	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
Token: SeDebugPrivilege	568	jsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

78ea47b51ee8f1ae3dc5b98e56c43d3f.exe

description	pid	process	target process
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe
PID 2024 wrote to memory of 568	2024	78ea47b51ee8f1ae3dc5b98e56c43d3f.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\78ea47b51ee8f1ae3dc5b98e56c43d3f.exe
"C:\Users\Admin\AppData\Local\Temp\78ea47b51ee8f1ae3dc5b98e56c43d3f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - UAC bypass
  - Suspicious use of AdjustPrivilegeToken
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-59-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-65-0x000000000049C29E-mapping.dmp

Download
memory/568-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2024-55-0x0000000001310000-0x0000000001412000-memory.dmp

Filesize
1.0MB

Download
memory/2024-56-0x00000000009B0000-0x00000000009E4000-memory.dmp

Filesize
208KB

Download
memory/2024-57-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/2024-58-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads