sectoprat | ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669

General

Target

ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe
Size

4.7MB
MD5

4ce7775ec68921dee5366abc8148df9e
SHA1

11593f51a40908ba866503a6db284d4d79bd53ce
SHA256

ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669
SHA512

78153bc16b4ca6fb7fbc42c8a50f8c323608a6d1bbc1e994354b1df0d09ebf261fbb027da2299e67b394d87b73f21e69ef13032d97d31cd0e968611ec7b0af18
SSDEEP

98304:YBBcCq+N3yM8DrarmHyZoVicyOxz+MyOZ4pFWfYR:YB8MiM8DraaSZ2yOF8pFWfY

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/312-0-0x00000000001C0000-0x000000000067A000-memory.dmp	family_zgrat_v1

Detects Arechclient2 RAT 1 IoCs

Arechclient2.

resource	yara_rule
behavioral2/memory/2156-21-0x0000000000400000-0x00000000004D2000-memory.dmp	MALWARE_Win_Arechclient

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/312-20-0x0000000006CF0000-0x0000000006DF0000-memory.dmp	family_sectoprat
behavioral2/memory/2156-21-0x0000000000400000-0x00000000004D2000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/312-0-0x00000000001C0000-0x000000000067A000-memory.dmp	net_reactor

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paternas_for_analyzing_waves.lnk	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe

Loads dropped DLL 1 IoCs

pid	Process
312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 312 set thread context of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3408	312	WerFault.exe	73

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	InstallUtil.exe
Token: SeDebugPrivilege	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74
PID 312 wrote to memory of 2156	312	ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe	74

C:\Users\Admin\AppData\Local\Temp\ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe
"C:\Users\Admin\AppData\Local\Temp\ef350c11d662c89bde6faf6a621f464c885f4c2633c5125aef7793f3b37eb669.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 1488
  2⤵
  - Program crash
  PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF7.tmp

Filesize
19KB

MD5
ddd55f193747b5519afed40bfb63eac7

SHA1
0e0a6c25fc2ffffaba3fc400dc57fe63641ca448

SHA256
05398709026603084c4bea241f88962675a5c11e7fb02ea508d4c5def3b2afcf

SHA512
e83b6732dbbde8dab224b5fb940184bacc29de9d5d829144228df9dbf715cdfda48861870cabd14b9dca2f9badd8aa51937f1cd52571dc9c77b6f4d2a892d2f6

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
57KB

MD5
7eb2d3b3c617701ca61eb4a9512073b0

SHA1
1086b4814315f5864c9999c732e15282413cef8d

SHA256
d735b2fc441d5f4cd60de92ed562bdc1e4fd896efc0d484a008222fa3a532aec

SHA512
dfde055f4946dd422f652c9d8c1ab6e6bed861ee0f32e54620c897396ed796f1731a0b003f44d3fd82fdb3a4415db8461a31f849826b8a36da009e962e22c2c3

Download Submit
memory/312-18-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/312-53-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/312-4-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-5-0x0000000006480000-0x000000000676C000-memory.dmp

Filesize
2.9MB

Download
memory/312-6-0x0000000006770000-0x0000000006902000-memory.dmp

Filesize
1.6MB

Download
memory/312-14-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-13-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-17-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-20-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/312-0-0x00000000001C0000-0x000000000067A000-memory.dmp

Filesize
4.7MB

Download
memory/312-52-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/312-1-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/312-54-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/312-51-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-43-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-19-0x0000000006CF0000-0x0000000006DF0000-memory.dmp

Filesize
1024KB

Download
memory/312-16-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-3-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/312-41-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-12-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/312-2-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/312-15-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/312-42-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2156-21-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2156-31-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/2156-30-0x00000000057B0000-0x0000000005800000-memory.dmp

Filesize
320KB

Download
memory/2156-29-0x00000000056E0000-0x00000000056FE000-memory.dmp

Filesize
120KB

Download
memory/2156-28-0x0000000006430000-0x000000000695C000-memory.dmp

Filesize
5.2MB

Download
memory/2156-27-0x0000000005A00000-0x0000000005EFE000-memory.dmp

Filesize
5.0MB

Download
memory/2156-22-0x0000000004F50000-0x0000000004FE2000-memory.dmp

Filesize
584KB

Download
memory/2156-24-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2156-25-0x0000000005330000-0x00000000054F2000-memory.dmp

Filesize
1.8MB

Download
memory/2156-26-0x0000000004FF0000-0x0000000005066000-memory.dmp

Filesize
472KB

Download
memory/2156-23-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-55-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-56-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing