sectoprat | 55108ea57f47939a336a8bed35d8be38509c3a88f120797e62ebdb2e025a49b8 | Triage

Sharing

General

Target

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.zip
Size

1.1MB
Sample

230321-rvmvjsda6v
MD5

f44cd174186bb94b0189d243411051fd
SHA1

13d455c29d4fc91f0856bad94c8f30320f588122
SHA256

55108ea57f47939a336a8bed35d8be38509c3a88f120797e62ebdb2e025a49b8
SHA512

6778bb2b0cd1a10a8a7bccd53dda3272243c42729b52ba7bc35f336324d80ce3082cd1c4a3ff68ec13c45bcf7a3eadb651a98ef5102aadf70a2fd29f9fc5255f
SSDEEP

24576:j2/U4A9QhVuvv4Shcb8g6HE1PbfkWaPzw9Q:q/qgqv4ag6mzfkVzKQ

Score

10^/10

sectoprat evasion persistence rat spyware trojan

Malware Config

Targets

- Target
  
  315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
- Size
  
  1.1MB
- MD5
  
  aedef5976cbed764e16089f0cd5b79e0
- SHA1
  
  a21cc8e454927fa878efb34491fdba1cd7ff90c7
- SHA256
  
  315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
- SHA512
  
  c3e0066946bb2934b682d1cc7293822e57b2a8451e64150053c4e8c2bee76f14a3d7e11b2b77145f60e3479df5d0f25453cb2f776ecf5c2a9263e33c105d4d63
- SSDEEP
  
  24576:5Q+7rOqFARbKlkTPiZ/V2RdpldkWeaoF9pG5QqRtuAZ:5Q+7rOqF8bKuIULp7kWexte
Score

10^/10

persistence sectoprat evasion rat spyware trojan
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Process Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

sectopratevasionpersistenceratspywaretrojan