General

  • Target

    file.exe

  • Size

    13.8MB

  • Sample

    240823-kjqczatgme

  • MD5

    43e2db5451f5938f2ee9695de40ecb9e

  • SHA1

    39421a403cfb7402e13e0aedc6234b6439bef569

  • SHA256

    6824e5da203c3f76aef7664f3ccf927bce3412be059b8d78075f6e804dc8c873

  • SHA512

    9949578b35b1267e197750a25a1ee9b922394f1f535eaa3580a464680d3dd68fb7f4010dd3393d512b1753a44010f69bbd3fe230939d6e46828441a54a849730

  • SSDEEP

    393216:F7Pl85sdL01+l+uq+Vvz1+TtIiLf0VlCR63l:FpTR01+l+uqgvz1QtIhla8

Malware Config

Targets

    • Target

      file.exe

    • Size

      13.8MB

    • MD5

      43e2db5451f5938f2ee9695de40ecb9e

    • SHA1

      39421a403cfb7402e13e0aedc6234b6439bef569

    • SHA256

      6824e5da203c3f76aef7664f3ccf927bce3412be059b8d78075f6e804dc8c873

    • SHA512

      9949578b35b1267e197750a25a1ee9b922394f1f535eaa3580a464680d3dd68fb7f4010dd3393d512b1753a44010f69bbd3fe230939d6e46828441a54a849730

    • SSDEEP

      393216:F7Pl85sdL01+l+uq+Vvz1+TtIiLf0VlCR63l:FpTR01+l+uqgvz1QtIhla8

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks