sectoprat | 255b8e8d638df2dcde755d28b01169a687dcfdc197498dc89c466dd6bb795b34

General

Target

Discord Nitro Generator.exe
Size

2.0MB
MD5

26aade362e76606a6dd64b1783d989eb
SHA1

feefb270d825aa93a0c249db479bc3308f7a4b5f
SHA256

d235cc33d4a1bad720e4de5e3748ffadc760cfb73326767473e2cb86d1afa3d6
SHA512

2fd7b9ad727dce7a689199f0eac2b6eb6873b8a676a531e2732a94c28e3d20dc19b94ad78efa37db7e5a485adbfb1044e65092f97fe57f3ca4d0cd64ae507a14
SSDEEP

49152:EQ+UdDEITs0m3KMtun3fDokUdlzWsYNZXPL0yJTEx+F:BLNVTsPG0k49WPNZXTw8

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 16 IoCs

resource	yara_rule
behavioral1/memory/1964-3-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-5-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-8-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-10-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-11-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-12-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-13-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-14-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-15-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-16-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-17-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-18-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-19-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-20-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-21-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat
behavioral1/memory/1964-22-0x0000000001280000-0x0000000001B9E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe
1964	Discord Nitro Generator.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord Nitro Generator.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	Discord Nitro Generator.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	Discord Nitro Generator.exe

C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-0-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1964-2-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/1964-3-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-4-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-5-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-6-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1964-7-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/1964-9-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-8-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-10-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-11-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-12-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-13-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-14-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-15-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-16-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-17-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-18-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-19-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-20-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-21-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download
memory/1964-22-0x0000000001280000-0x0000000001B9E000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing