sectoprat | eefc3d0a6af3df17b4c97f8404509550aa8eb99b3757a0ba4590c6bce88c96ca | Triage

Sharing

General

Target

eefc3d0a6af3df17b4c97f8404509550aa8eb99b3757a0ba4590c6bce88c96ca
Size

3.6MB
Sample

241110-qvgsvsxfmk
MD5

ffdcbdd06ed59b0c4a507cac8d575913
SHA1

de5e9d4384db0866f083db001217373b34451ea6
SHA256

eefc3d0a6af3df17b4c97f8404509550aa8eb99b3757a0ba4590c6bce88c96ca
SHA512

09765eac9a6f6dd493a6907e20f07e756ae443bdb7a2e10233161e179fc46669fa5796b91df57a3e5cf3607d1f9fb4ab33e002e2b596699115b624f09b3dc5b5
SSDEEP

49152:hjt9RArn/oYnZ78RwY8arcQMG6rclercVh+r52P/xyM2DIbucTWE83KxFIydR1LI:DAjQeZ4RwPacOj+rEP/mETlSKvLdLDuj

Score

10^/10

sectoprat discovery evasion rat themida trojan

Malware Config

Targets

- Target
  
  IlusionChecker.dll
- Size
  
  860KB
- MD5
  
  b0bac703f7383ee4a23d4d3f2a2b1f1a
- SHA1
  
  106090e78f39c26908818483b16ec305a01f9400
- SHA256
  
  9ce8edef198466a402ac87600dddf041f562caa41b6e388397b03a8500b37ee6
- SHA512
  
  6318d48fa6a11ba85893faea9a5fd5837e7b85c273275532a18a10045aabdf18fc9d016d705dcab2004a9c206b714771a2c2f9ebf1bb913faea06562307a136b
- SSDEEP
  
  24576:Cwx+zVw7FfVRI08bMul+pUoXyVaaaC03:CwxQVYRn85oi
Score

1^/10
behavioral1 behavioral2
- Target
  
  IlusionChecker.exe
- Size
  
  3.0MB
- MD5
  
  75b074c809301513411b15669c3d2e35
- SHA1
  
  c19e02192b3c57844dff28fdb81830d5dd5e6eaf
- SHA256
  
  1369ca0bcd6a39f6fbe3b931d61b9b752704b5c43beede8a73a7ce7e0f8d43c6
- SHA512
  
  5bc40b27062b2f774e26b8fa2b7f58f9aa4d705ce583afbcac0761b40e25a7e555246f4bdf7ade8c6c299e404c85399b235a537d93624042d2a1f331b17a1a10
- SSDEEP
  
  49152:bxNZY81Ccz8i6DH8e2Awj/VVKL+i5x6ytOx+muOv/6Kk9xVZyVL1G/zvdVn:bxNZPoc1XdkLn5xIPviJ9rcXGL1l
Score

10^/10

sectoprat discovery evasion rat themida trojan
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  configuration/og-names.txt
- Size
  
  37KB
- MD5
  
  81f43a367261d11e0a5dd472d929825b
- SHA1
  
  42acf32254481c2c4ee08e4abb9706628a20cf0e
- SHA256
  
  7c8e9420a2da94fb7044ee85354b919711b7bfede9b6f57288cbaae8e5548a5c
- SHA512
  
  c3451849ccfb6e4442ea2e88165b5a9938f9b908b131128abcef00af3453f1bf0720e19767e49b238b8eb45ce0aa672bd0f155ab869f423b11eeb971f41c6b69
- SSDEEP
  
  768:TDYa8eEzVcP2hN+CAhkv2VfJ0zu/LQw4iJRPrNVP9ON8Hkcf79xgKl4lA90Qp/Ry:TDYBeXP2hkCAhkvfjiJzV08Hkcf79xR2
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

sectopratdiscoveryevasionratthemidatrojan

behavioral4

sectopratdiscoveryevasionratthemidatrojan

behavioral5

behavioral6