sectoprat

General

Target

fa38bc50e82c0b00890b3234017ee1c0446f48114e700717f69d12dfb5c7d043.exe
Size

347KB
Sample

240428-cpxegaea74
MD5

5ec61087c62b7253d45b72e19c096b5f
SHA1

90658f4eec68c48a2764acdd86d4ebf8757a27d3
SHA256

fa38bc50e82c0b00890b3234017ee1c0446f48114e700717f69d12dfb5c7d043
SHA512

71c3071214ac76f9a98c9a86eeb9234c28630a44d533714b85dce8867641de18db7283d4995bfd773434f03646fcd1ab3b79e65ad0210d79c9a5e4f670ca736a
SSDEEP

6144:8o+4WgjZb/JFOtrrcQfDowFsTPgZvaRGbmDgAsWrJhUN5m8BO:5ZjZb/JfQboRTAvaYykBAfF

Score

10^/10

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.76

Attributes

url_path
/8681490a59ad0e34.php

Targets

- Target
  
  fa38bc50e82c0b00890b3234017ee1c0446f48114e700717f69d12dfb5c7d043.exe
- Size
  
  347KB
- MD5
  
  5ec61087c62b7253d45b72e19c096b5f
- SHA1
  
  90658f4eec68c48a2764acdd86d4ebf8757a27d3
- SHA256
  
  fa38bc50e82c0b00890b3234017ee1c0446f48114e700717f69d12dfb5c7d043
- SHA512
  
  71c3071214ac76f9a98c9a86eeb9234c28630a44d533714b85dce8867641de18db7283d4995bfd773434f03646fcd1ab3b79e65ad0210d79c9a5e4f670ca736a
- SSDEEP
  
  6144:8o+4WgjZb/JFOtrrcQfDowFsTPgZvaRGbmDgAsWrJhUN5m8BO:5ZjZb/JfQboRTAvaYykBAfF
Score

10^/10

sectoprat stealc discovery rat spyware stealer trojan
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

SectopRAT payload

Stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2