sectoprat | c3f742bbbd33c7638fc3ead2f7f3ca089e6e79c3277d58997f28bd19efc10050

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07256d661e730a414482da334819fc36.exe
Size

814KB
MD5

07256d661e730a414482da334819fc36
SHA1

d66936b189f6e12a5f5ef997e794976dd7b9d9d5
SHA256

c3f742bbbd33c7638fc3ead2f7f3ca089e6e79c3277d58997f28bd19efc10050
SHA512

2d4f9396f7a78d66abc8828da42cc782b2490c6d35ff19eecc0de001aa97d35b52af84486fd2534861b3d73dac894bcacfbc7c1ec1a4c37d91b71b13c40d567d
SSDEEP

12288:GdLwWCn3QrAIsj0AQki7u4YiAoorWv4BqUPCdCCGG:Z3QejkV7u4zorNqtXGG

Score

10^/10

sectoprat discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3328-1-0x0000000000B30000-0x0000000000C02000-memory.dmp	family_sectoprat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Kills process with taskkill 1 IoCs

evasion

pid	Process
1328	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3328	07256d661e730a414482da334819fc36.exe
3328	07256d661e730a414482da334819fc36.exe
3328	07256d661e730a414482da334819fc36.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	07256d661e730a414482da334819fc36.exe
Token: SeDebugPrivilege	1328	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1328	3328	07256d661e730a414482da334819fc36.exe	93
PID 3328 wrote to memory of 1328	3328	07256d661e730a414482da334819fc36.exe	93
PID 3328 wrote to memory of 1328	3328	07256d661e730a414482da334819fc36.exe	93

C:\Users\Admin\AppData\Local\Temp\07256d661e730a414482da334819fc36.exe
"C:\Users\Admin\AppData\Local\Temp\07256d661e730a414482da334819fc36.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /im chrome.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp83A9.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83DB.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/3328-4-0x0000000005A60000-0x0000000005C22000-memory.dmp

Filesize
1.8MB

Download
memory/3328-9-0x0000000005DC0000-0x0000000005E10000-memory.dmp

Filesize
320KB

Download
memory/3328-0-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3328-5-0x00000000056E0000-0x0000000005756000-memory.dmp

Filesize
472KB

Download
memory/3328-6-0x00000000061E0000-0x0000000006784000-memory.dmp

Filesize
5.6MB

Download
memory/3328-7-0x0000000006CC0000-0x00000000071EC000-memory.dmp

Filesize
5.2MB

Download
memory/3328-8-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/3328-3-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3328-10-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/3328-2-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/3328-1-0x0000000000B30000-0x0000000000C02000-memory.dmp

Filesize
840KB

Download
memory/3328-35-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3328-36-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3328-37-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/3328-38-0x0000000005910000-0x000000000594C000-memory.dmp

Filesize
240KB

Download