sectoprat

Sharing

Copy URL

Twitter E-mail

General

Target

17460070396 (2).zip
Size

42.0MB
Sample

240528-b9tzeabe99
MD5

08ea1fe8b7f28b93740c86d9dbf65452
SHA1

d780753f68aef95319e1c860a752de3c0656b581
SHA256

fe92a0c3ac848d23c2dc607b571e1ea804ef9e5a4fbd81412509929afe94e59c
SHA512

c1577f7d11bbd3c82e4a69fa0ebb5b4c3762e916dc0751d9e5eabf7ed0fdb9f6bf3cf9497d95edfbb8beb608b80bc3433e37ba08403b8721d97e2901d0069bed
SSDEEP

786432:d1Oog7aqVnsR4Z9/ApoIcOGX55QkNcZ/I1/IO8XnlD11Qdl/V/v93Dv:d45BBtBAZcRX55Fx1/YXp69vR7

Score

10^/10

Malware Config

Targets

- Target
  
  372d4853eda962e2d8f6ab3f7c444f7d6c9c1f0285d60fc55a9204ae3c2a1227
- Size
  
  13.0MB
- MD5
  
  991785096676a137f176e40f8f050844
- SHA1
  
  ba1c22cfd49706b5e352a8f63af8aa609f5aef7a
- SHA256
  
  372d4853eda962e2d8f6ab3f7c444f7d6c9c1f0285d60fc55a9204ae3c2a1227
- SHA512
  
  16dfbe53f35fae07cf7f9887b8c3dc6b93c912eb9f37afb7ef490639a6e4c01bd8a3c8868d5bd3ea2ea1e3e51c04b69551bdbbc1f2688c3a3e65507da5cf7f64
- SSDEEP
  
  393216:YY962Lr5+qnM52FCdVh4bodV6B/KTkVCJqV9r+/e:3962Q7ACd3qTSTJJ0r+G
Score

1^/10
behavioral1 behavioral2
- Target
  
  89a7d75e00d0ad1cc305d8e91214d8a44374bec4b99f7f19042703fa4ca74867
- Size
  
  3.0MB
- MD5
  
  a50b48c85f4d26cf6324834a0f606fa2
- SHA1
  
  c2e0b57fc1e6477fa8312ebeed4855239ac04ef2
- SHA256
  
  89a7d75e00d0ad1cc305d8e91214d8a44374bec4b99f7f19042703fa4ca74867
- SHA512
  
  1f3c45e2628040f9d528cac32b7e8dd3eb8c8f0003a9f283d2e4df1c97979d6d6a9f6906f3ff871f03e68236c4d210d95f4cedaa8a826d9ab98d65a916bad8b1
- SSDEEP
  
  49152:0uW6krivgOWOLKeGoeJ1RMrntlcpr7S0t5xNe1YI5ZnKWPPhc+yAjwfOsQqShibT:0uWRHOW+ym4pr7S0XC1YOPPhcEsfOsQU
Score

1^/10
behavioral3 behavioral4
- Target
  
  da5226b7d4fb1a02e9f30a6b226fb8b0d5a08b28f8d1a95bb029d42bd093fbef
- Size
  
  19.5MB
- MD5
  
  382b9f7b3540d5bb539ec70522e6301c
- SHA1
  
  bc3dfd8c421abc071a8bb2fd56012250b7f077ff
- SHA256
  
  da5226b7d4fb1a02e9f30a6b226fb8b0d5a08b28f8d1a95bb029d42bd093fbef
- SHA512
  
  d6eeda6845327ea822c92c57f5071640b95b8c3896f6f9227c42f2e6f724f26b37c090e39edc87a3ae9fdcd3cde5bee126e425c1fc8376b17a4c1f82132cdf4e
- SSDEEP
  
  393216:kA2zR/NGca9Kb+6vkH7DejkPPC+s8MOWeEbtoC9Eg+2:LSipKbZkv3S+sjdHJ9p+2
Score

8^/10

bootkit evasion persistence spyware stealer trojan discovery
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9
- Size
  
  7.3MB
- MD5
  
  5c95d5493dda877b228a6485a6d40d9c
- SHA1
  
  185482dabc06787f6ce14c6cd46c17372a1b77ae
- SHA256
  
  fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9
- SHA512
  
  05334c39be051eb33c0ad4787cd8d56a1386115bf809f2ec44088f719ab5bf3caf8e7a4539cb5d10b60bc5452b98d01656332b7e5c608038aeae73bd88b16e24
- SSDEEP
  
  196608:0qw9h20Qu0lFIutULgNr8cQ6P/qrFfDG2HD14LDsYu67ReBR:w2FIutULgS7rlDvDSI6cz
Score

10^/10

sectoprat evasion rat themida trojan
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8