Overview

overview

10

Static

static

1

AutoIt3.exe

windows10-2004-x64

3

run.bat

windows10-2004-x64

10

script.a3x

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    auto.zip

  • Size

    950KB

  • Sample

    240824-ncrh8syfrp

  • MD5

    cd8872256867b67037489d518c80a8d0

  • SHA1

    c7e1165de3171036369d4da4bbfe5c397f3d05f1

  • SHA256

    87e3af2826512db33e2877ec799f576a13a6853a9839532278f02d4e548e7424

  • SHA512

    8dbb1d910cfc4677e0794bbdd10f141e3e8aae8a2a1e45520bc9ddddc2f41e83bab431a3fa4921a360f398c6fff0f9d93c3b427f9897e4f750160ca6de0c1921

  • SSDEEP

    24576:ojgq1glRzGEeLyBWc5R8aOF/HuwSW1RG0VTGmNdJSonbl4wOL:ub1glFGE/BRoLPu/U40VicdJdblwL

Score
10/10
sectopratdiscoveryexecutionpersistencerattrojan

Malware Config

Targets

    • Target

      AutoIt3.exe

    • Size

      872KB

    • MD5

      c56b5f0201a3b3de53e561fe76912bfd

    • SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

    • SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    • SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • SSDEEP

      12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

    Score
    3/10
    discovery
    behavioral1

    • Target

      run.bat

    • Size

      34B

    • MD5

      87d72f7fe17d44947ad61d3b37c72ba4

    • SHA1

      ce2aa9009aafbb41eaebf96a616fefa81a3f7950

    • SHA256

      90d062ca877bb672557a58271bbdec6e9fe4517e106437b8dbafb6367fd1e86e

    • SHA512

      374cdca46bdb508c8eadf8a26ed22d9e08b4c0e2ad6d9a164922a09ee8eb9fa88a98cf11a13f65e41ff2c019db55cf3e3be4b3b3d27d544c61fe773660c0fbc0

    Score
    10/10
    sectopratdiscoveryexecutionpersistencerattrojan

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

      execution

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      script.a3x

    • Size

      940KB

    • MD5

      89859fe83e74915fb209fa52e33e3a47

    • SHA1

      b13c90a7f9254201cdd17c07815a4de45df7db34

    • SHA256

      e71958c62ba67d82e6695bb05b726c1e00541428bde8f800979e984e1593e534

    • SHA512

      443359ca92191c7f3dbd8106f3610130898c083dfb2d43210587dbb4b213075807f51b59e8b12d634ff0ab327257f9140831e36ffff3e028533c79c209813081

    • SSDEEP

      12288:ct+FIIcCcNi+B7P1K4y5IkjTVRTdCtjUkfAX3+nLz3J77vzYsb:c/IcCcNi+VP1JFZJPcsb

    Score
    3/10
    behavioral3

MITRE ATT&CK Matrix

Tasks