sectoprat

General

Target

705685a8deace858e7fc849471c045f3.bin
Size

36KB
Sample

240428-bq4dqsch49
MD5

f007377ed5d49973a56300b6eeda6e6f
SHA1

0b6f34b84e7f93448784a0aab18e90a82bf09340
SHA256

61808802cf5808232043a5659d064395a10953bffe31b4a2807055b59a945b0e
SHA512

ac6fc120d3ef26dff01f622a3d09cf25f6ab4642e006525398120e1f6b97d70bee936fcea879b32a5fc566ac76765c84594da1d5c609d5d5e9e9d580c8c58b49
SSDEEP

768:UceE4o0WLi2GSO88j6omX+eGEDWX2HFQfo/+CZjUIG1taWR1lZ:veE70WLkrJtpED02lQfS+CJUv1P

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=1667

Extracted

Family

stealc

C2

http://185.172.128.62

Attributes

url_path
/902e53a07830e030.php

Targets

- Target
  
  7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe
- Size
  
  49KB
- MD5
  
  705685a8deace858e7fc849471c045f3
- SHA1
  
  10132365b465a6f231c8e292f462c2d005b4f9b0
- SHA256
  
  7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9
- SHA512
  
  b9dd7d5ca384ff4ad053d5f01d721f1180b1028e40c96cd94e04f2b2965e2f4be6cf4d2595f67c3e62039320b517e32200ffec165a9c544344d666732a57c56d
- SSDEEP
  
  1536:XferrLkSRoe8C4UZsys0Dh1duFpyFI+Plt:Xfi3k+oWDBDh1duFpXWlt
Score

10^/10

sectoprat stealc zgrat discovery rat spyware stealer trojan
- Detect ZGRat V1
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  25KB
- MD5
  
  40d7eca32b2f4d29db98715dd45bfac5
- SHA1
  
  124df3f617f562e46095776454e1c0c7bb791cc7
- SHA256
  
  85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
- SHA512
  
  5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
- SSDEEP
  
  384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E
Score

3^/10
behavioral3 behavioral4