sectoprat | ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7

General

Target

ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe
Size

442KB
MD5

baab4aa164ea2d77b48a6986e912bf3d
SHA1

0ad886cb750824002967e491e94bd96298eb21f4
SHA256

ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7
SHA512

4cbaa101b0e10e739d3e43cac4f4ae86124d3c62c9119d83bd62696c48c7b65807f0c7173542d971f152cfb28c32c9cdbfc45ff6832a0e957df155f817406a87
SSDEEP

12288:8/YF+b8a+KLGNAKq48yhBV2S7PJwwh8na5r:8Qw+1NE48yRZxwNna5r

Score

10^/10

sectoprat stealc rat stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1580-142-0x0000000000700000-0x00000000007C6000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	u3xo.0.exe
660	run.exe

Loads dropped DLL 1 IoCs

pid	Process
660	run.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 3000	660	run.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1596	5100	WerFault.exe	89
3964	2992	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
660	run.exe
660	run.exe
660	run.exe
3000	cmd.exe
3000	cmd.exe
3000	cmd.exe
3000	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
660	run.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
660	run.exe
660	run.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 2992	5100	ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe	93
PID 5100 wrote to memory of 2992	5100	ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe	93
PID 5100 wrote to memory of 2992	5100	ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe	93
PID 5100 wrote to memory of 660	5100	ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe	99
PID 5100 wrote to memory of 660	5100	ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe	99
PID 5100 wrote to memory of 660	5100	ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe	99
PID 660 wrote to memory of 3000	660	run.exe	107
PID 660 wrote to memory of 3000	660	run.exe	107
PID 660 wrote to memory of 3000	660	run.exe	107
PID 660 wrote to memory of 3000	660	run.exe	107

C:\Users\Admin\AppData\Local\Temp\ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe
"C:\Users\Admin\AppData\Local\Temp\ed3cbb28a5610df5a2d0489adcca1fed35a213ba85310f998638279734435eb7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\u3xo.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u3xo.0.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1148
    3⤵
    - Program crash
    PID:3964
- C:\Users\Admin\AppData\Local\Temp\u3xo.2\run.exe
  "C:\Users\Admin\AppData\Local\Temp\u3xo.2\run.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      PID:1580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 1148
  2⤵
  - Program crash
  PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4832 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5100 -ip 5100
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2992 -ip 2992
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\577411ae

Filesize
1.4MB

MD5
0e991e3d7ae641392c1f6bf47a5d55c4

SHA1
1292e81bfc138962b91ba20beb682dc387315c1f

SHA256
f3d14dbe2669bd64197cd200848a46f52c24a0adfa0691cd2ccbd158cdfff1e8

SHA512
ca59ce0161c5ef3f97dd5c1138c26fb2b26ee63431d720c7934f56c09c73e85427b629964bb0d6b01dc7c92a5a402ea8a8e3201b7b3c46d19cd4b926d6352015

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3xo.0.exe

Filesize
298KB

MD5
230c83682ed7972ae26e0b13d4e3a974

SHA1
a53fc041717ae86753e7be8cf803b3f638ea0c74

SHA256
2d1f0d8f8076c0f7549a00684ea10e3a81cfa29be3bdd3df2e13656766625a0d

SHA512
ebdc20b852bbda4e69389eeed136b66115b407dcb91134da031e7405433c9f679a6a73d5388e1458801b0ac44016784373e0c3cbbd17ffee2fbca04f52f38dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3xo.1.zip

Filesize
3.7MB

MD5
78d3ca6355c93c72b494bb6a498bf639

SHA1
2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

SHA256
a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

SHA512
1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3xo.2\UIxMarketPlugin.dll

Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3xo.2\bunch.dat

Filesize
1.3MB

MD5
1e8237d3028ab52821d69099e0954f97

SHA1
30a6ae353adda0c471c6ed5b7a2458b07185abf2

SHA256
9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

SHA512
a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3xo.2\relay.dll

Filesize
1.5MB

MD5
10d51becd0bbce0fab147ff9658c565e

SHA1
4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

SHA256
7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

SHA512
29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3xo.2\run.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3xo.2\whale.dbf

Filesize
85KB

MD5
a723bf46048e0bfb15b8d77d7a648c3e

SHA1
8952d3c34e9341e4425571e10f22b782695bb915

SHA256
b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

SHA512
ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

Download Submit
memory/660-116-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/660-117-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/660-121-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/660-110-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

Filesize
2.0MB

Download
memory/660-109-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/1580-148-0x0000000004F40000-0x0000000004F90000-memory.dmp

Filesize
320KB

Download
memory/1580-141-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/1580-145-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1580-144-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/1580-147-0x0000000004EC0000-0x0000000004F36000-memory.dmp

Filesize
472KB

Download
memory/1580-143-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/1580-137-0x0000000071610000-0x0000000072864000-memory.dmp

Filesize
18.3MB

Download
memory/1580-142-0x0000000000700000-0x00000000007C6000-memory.dmp

Filesize
792KB

Download
memory/1580-146-0x0000000005090000-0x0000000005252000-memory.dmp

Filesize
1.8MB

Download
memory/2992-119-0x0000000000400000-0x000000000403C000-memory.dmp

Filesize
60.2MB

Download
memory/2992-120-0x0000000004220000-0x0000000004320000-memory.dmp

Filesize
1024KB

Download
memory/2992-20-0x0000000004220000-0x0000000004320000-memory.dmp

Filesize
1024KB

Download
memory/2992-104-0x0000000000400000-0x000000000403C000-memory.dmp

Filesize
60.2MB

Download
memory/2992-21-0x00000000041B0000-0x00000000041D7000-memory.dmp

Filesize
156KB

Download
memory/3000-136-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/3000-134-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/3000-133-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/3000-125-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

Filesize
2.0MB

Download
memory/3000-123-0x0000000072870000-0x00000000729EB000-memory.dmp

Filesize
1.5MB

Download
memory/5100-1-0x00000000043C0000-0x00000000044C0000-memory.dmp

Filesize
1024KB

Download
memory/5100-2-0x00000000042E0000-0x000000000434D000-memory.dmp

Filesize
436KB

Download
memory/5100-3-0x0000000000400000-0x000000000405F000-memory.dmp

Filesize
60.4MB

Download
memory/5100-4-0x0000000000400000-0x000000000405F000-memory.dmp

Filesize
60.4MB

Download
memory/5100-6-0x0000000000400000-0x000000000405F000-memory.dmp

Filesize
60.4MB

Download
memory/5100-7-0x00000000043C0000-0x00000000044C0000-memory.dmp

Filesize
1024KB

Download
memory/5100-103-0x0000000000400000-0x000000000405F000-memory.dmp

Filesize
60.4MB

Download
memory/5100-8-0x00000000042E0000-0x000000000434D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing