sectoprat | cfa3aa39deeb3f6676492660c22c6e47429f8dc19b39310c526528e960aa5541

General

Target

050bf1667b3582ee614153462e676ee4.exe
Size

3.3MB
MD5

050bf1667b3582ee614153462e676ee4
SHA1

2867882f64330110243f001850c243018f0f831c
SHA256

cfa3aa39deeb3f6676492660c22c6e47429f8dc19b39310c526528e960aa5541
SHA512

49ff898bee46784a161f7d7de1e8b72d8482f11661c6bb552bb4a30993c25891e44940fd47f2e33a8bb289280624d36cdc3b65613b343c957ed4dac97427b9be
SSDEEP

49152:iR/KpmZubPf2S8W2ILeWl+C1t9jWy5Snd0eigXGrHz9FX3G3kGiauKmgBRAD:E/jtYLP1Gy5E0tHz9ppaxBRy

Score

10^/10

sectoprat discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1636-20-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat
behavioral1/memory/1636-19-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat
behavioral1/memory/1636-17-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat
behavioral1/memory/1636-14-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat
behavioral1/memory/1636-11-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

050bf1667b3582ee614153462e676ee4.exe

description pid process target process

PID 528 set thread context of 1636 528 050bf1667b3582ee614153462e676ee4.exe RegAsm.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

1636 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1636 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1636 RegAsm.exe

description	pid	process	target process
PID 528 set thread context of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe

pid	process
1636	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1636	RegAsm.exe

pid	process
1636	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

050bf1667b3582ee614153462e676ee4.exe

description	pid	process	target process
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe
PID 528 wrote to memory of 1636	528	050bf1667b3582ee614153462e676ee4.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\050bf1667b3582ee614153462e676ee4.exe
"C:\Users\Admin\AppData\Local\Temp\050bf1667b3582ee614153462e676ee4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD5B.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
memory/528-1-0x0000000000688000-0x000000000068C000-memory.dmp

Filesize
16KB

Download
memory/528-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/528-2-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/1636-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1636-6-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1636-20-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1636-19-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1636-17-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1636-14-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1636-8-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1636-11-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing