sectoprat

General

Target

d83011dec2bbee77269f3b84f65ab094c77615e6a1f25266f7f7705eb2ce99b5.exe
Size

452KB
Sample

240428-chw55aeb9t
MD5

02abedd1d0aedda2c4ea7a7fabdf9895
SHA1

7e78b92c0ae7e4b575f0824062714ce774bd2bf9
SHA256

d83011dec2bbee77269f3b84f65ab094c77615e6a1f25266f7f7705eb2ce99b5
SHA512

daf5f3a3651e62a74a0bd4e7fd10e9f2a52f83d00285ccae4bb76700b5cc2f3e3a2fad6fd71426d6d4b4521efab3f52ff18f1113beaf0a061c70a5c0db5cae17
SSDEEP

6144:yqLtuGCSTaLZ4Bz5iNrmY4+wqKKxsnF4rclsMoSkRywnQts4la:yWtrlXI14qdxsn7T14N4la

Score

10^/10

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.62

Attributes

url_path
/902e53a07830e030.php

Targets

- Target
  
  d83011dec2bbee77269f3b84f65ab094c77615e6a1f25266f7f7705eb2ce99b5.exe
- Size
  
  452KB
- MD5
  
  02abedd1d0aedda2c4ea7a7fabdf9895
- SHA1
  
  7e78b92c0ae7e4b575f0824062714ce774bd2bf9
- SHA256
  
  d83011dec2bbee77269f3b84f65ab094c77615e6a1f25266f7f7705eb2ce99b5
- SHA512
  
  daf5f3a3651e62a74a0bd4e7fd10e9f2a52f83d00285ccae4bb76700b5cc2f3e3a2fad6fd71426d6d4b4521efab3f52ff18f1113beaf0a061c70a5c0db5cae17
- SSDEEP
  
  6144:yqLtuGCSTaLZ4Bz5iNrmY4+wqKKxsnF4rclsMoSkRywnQts4la:yWtrlXI14qdxsn7T14N4la
Score

10^/10

sectoprat stealc zgrat discovery rat spyware stealer trojan
- Detect ZGRat V1
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects encrypted or obfuscated .NET executables
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2