sectoprat | 104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560 | Triage

Submit
Reports

Overview

overview

Static

static

1

f6ed1f34f6...91.exe

windows7-x64

f6ed1f34f6...91.exe

windows10-2004-x64

Sharing

General

Target

f6ed1f34f629ab51dba4c63dc57c1a91
Size

6.8MB
Sample

230321-gg7bxsah9v
MD5

f6ed1f34f629ab51dba4c63dc57c1a91
SHA1

b62bbeef12de9a18ecf785153b9b429bca733aba
SHA256

104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560
SHA512

853b9c762d5ce15948b2a23e26f581b02ac16749157669fd8ec702e7cdab25aded95ece117b2ed971cedee9d4df724340ad946e8cb8e775bd749e7de61fb468d
SSDEEP

196608:7DANPFmCV+OoxomMRb4MGK3oI8XY2OqjoRK:70HPE+7GK3oVhOI

Score

10^/10

sectoprat bootkit evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

f6ed1f34f629ab51dba4c63dc57c1a91.exe

Resource

win7-20230220-en

sectoprat bootkit evasion persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

f6ed1f34f629ab51dba4c63dc57c1a91.exe

Resource

win10v2004-20230220-en

sectoprat bootkit evasion persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  f6ed1f34f629ab51dba4c63dc57c1a91
- Size
  
  6.8MB
- MD5
  
  f6ed1f34f629ab51dba4c63dc57c1a91
- SHA1
  
  b62bbeef12de9a18ecf785153b9b429bca733aba
- SHA256
  
  104645c74843e385754502a80a935156b585c6969fba1be83efe9b554a746560
- SHA512
  
  853b9c762d5ce15948b2a23e26f581b02ac16749157669fd8ec702e7cdab25aded95ece117b2ed971cedee9d4df724340ad946e8cb8e775bd749e7de61fb468d
- SSDEEP
  
  196608:7DANPFmCV+OoxomMRb4MGK3oI8XY2OqjoRK:70HPE+7GK3oVhOI
Score

10^/10

sectoprat bootkit evasion persistence rat trojan
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

sectopratbootkitevasionpersistencerattrojan

behavioral2

sectopratbootkitevasionpersistencerattrojan

© 2018-2024

Terms | Privacy