General

  • Target

    06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437

  • Size

    4.0MB

  • Sample

    241117-tqlsssxrgm

  • MD5

    67b0d57e74adeef2f15582f95c9d5c43

  • SHA1

    4d359d98992b6ee3b47aa7667fcd74d25ca715bd

  • SHA256

    06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437

  • SHA512

    f2691b4fdbbce2cf34483227362ff93d4b96f170ac17337d54971b0cc340da7beabedeb25bf26aaeeacb92e1066b93ccec65e742481e293928ea20c795be4a5e

  • SSDEEP

    49152:PjKdrRvp7grhJqZyc0PGMMlADKD7IRHxg:PjKdrRvJchJq6GPlA2D0RHxg

Malware Config

Targets

    • Target

      06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437

    • Size

      4.0MB

    • MD5

      67b0d57e74adeef2f15582f95c9d5c43

    • SHA1

      4d359d98992b6ee3b47aa7667fcd74d25ca715bd

    • SHA256

      06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437

    • SHA512

      f2691b4fdbbce2cf34483227362ff93d4b96f170ac17337d54971b0cc340da7beabedeb25bf26aaeeacb92e1066b93ccec65e742481e293928ea20c795be4a5e

    • SSDEEP

      49152:PjKdrRvp7grhJqZyc0PGMMlADKD7IRHxg:PjKdrRvJchJq6GPlA2D0RHxg

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks