sectoprat | 304555a63b7a431a158fd9e527bdfcb7610f6dfa9231f4184f2e80e85a0dc520

General

Target

2E2358523BBE722450A7E49EED0534B6.exe
Size

3.5MB
MD5

2e2358523bbe722450a7e49eed0534b6
SHA1

10ac0bbf6ab7e2db1d53a93973bf73573160eeab
SHA256

304555a63b7a431a158fd9e527bdfcb7610f6dfa9231f4184f2e80e85a0dc520
SHA512

13fbfe2ee2ca37d9ace32e0a1c84f0aa726d5dd4145ed9a7385317140486ab8688a8defe71fd31dffe70a7fd17c4c1305b7eeaa5b11a32e55b57b05152a26ce5
SSDEEP

49152:xSee3hQidqT4kgJmNqf9YWBTg+E5EiCh8:I3hQidXZQNqiWLgR6

Score

10^/10

sectoprat discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3520-0-0x00000000022E0000-0x00000000023B7000-memory.dmp	family_sectoprat
behavioral2/memory/2324-4-0x0000000000800000-0x00000000008C6000-memory.dmp	family_sectoprat
behavioral2/memory/2324-3-0x0000000000800000-0x00000000008C6000-memory.dmp	family_sectoprat
behavioral2/memory/2324-5-0x0000000000800000-0x00000000008C6000-memory.dmp	family_sectoprat
behavioral2/memory/3520-8-0x00000000022E0000-0x00000000023B7000-memory.dmp	family_sectoprat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

2E2358523BBE722450A7E49EED0534B6.exe

description pid process target process

PID 3520 set thread context of 2324 3520 2E2358523BBE722450A7E49EED0534B6.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RegAsm.exe

pid process

2324 RegAsm.exe
2324 RegAsm.exe
2324 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2324 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2324 RegAsm.exe

description	pid	process	target process
PID 3520 set thread context of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe

pid	process
2324	RegAsm.exe
2324	RegAsm.exe
2324	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2324	RegAsm.exe

pid	process
2324	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2E2358523BBE722450A7E49EED0534B6.exe

description	pid	process	target process
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe
PID 3520 wrote to memory of 2324	3520	2E2358523BBE722450A7E49EED0534B6.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\2E2358523BBE722450A7E49EED0534B6.exe
"C:\Users\Admin\AppData\Local\Temp\2E2358523BBE722450A7E49EED0534B6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9C23.tmp
Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C54.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/2324-6-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/2324-46-0x00000000053D0000-0x000000000540C000-memory.dmp

Filesize
240KB

Download
memory/2324-12-0x00000000050C0000-0x0000000005110000-memory.dmp

Filesize
320KB

Download
memory/2324-1-0x0000000000800000-0x00000000008C6000-memory.dmp

Filesize
792KB

Download
memory/2324-14-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-7-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2324-9-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/2324-45-0x0000000005170000-0x0000000005182000-memory.dmp

Filesize
72KB

Download
memory/2324-10-0x0000000005190000-0x0000000005352000-memory.dmp

Filesize
1.8MB

Download
memory/2324-13-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/2324-5-0x0000000000800000-0x00000000008C6000-memory.dmp

Filesize
792KB

Download
memory/2324-3-0x0000000000800000-0x00000000008C6000-memory.dmp

Filesize
792KB

Download
memory/2324-11-0x0000000005040000-0x00000000050B6000-memory.dmp

Filesize
472KB

Download
memory/2324-15-0x0000000006150000-0x000000000667C000-memory.dmp

Filesize
5.2MB

Download
memory/2324-16-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/2324-17-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/2324-4-0x0000000000800000-0x00000000008C6000-memory.dmp

Filesize
792KB

Download
memory/2324-2-0x0000000000800000-0x00000000008C6000-memory.dmp

Filesize
792KB

Download
memory/2324-41-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/2324-43-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2324-44-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3520-8-0x00000000022E0000-0x00000000023B7000-memory.dmp

Filesize
860KB

Download
memory/3520-0-0x00000000022E0000-0x00000000023B7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing