sectoprat | 44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b

General

Target

file.exe
Size

6.5MB
MD5

bfc5ea31b4aeefec1508e8f5b458e574
SHA1

976fe53a467068719f70a856dca3bb7b65a9d6dc
SHA256

44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b
SHA512

146ef0163df8be2c8e5a834c27d731c817e0540a30d4e4746109fd564c33d2d7f00560017f0d5b9ade9eea05611ed440f64022f97e30949e5bb58041452f590e
SSDEEP

98304:vi0rHj8I5IxALsFFyTFaYTXMHyAw8aMAKa392mAYYqUSoYTk0KGjp2kizn:vi0rDyraTFNKyLUAKw2B7qUShTkQjDir

Score

10^/10

sectoprat discovery rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/992-88-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 2 IoCs

pid	Process
2668	Mp3tag.exe
2632	Mp3tag.exe

Loads dropped DLL 5 IoCs

pid	Process
2796	file.exe
2668	Mp3tag.exe
2668	Mp3tag.exe
2632	Mp3tag.exe
2616	cmd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2616	2632	Mp3tag.exe	31
PID 2616 set thread context of 992	2616	cmd.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2668	Mp3tag.exe
2632	Mp3tag.exe
2632	Mp3tag.exe
2616	cmd.exe
2616	cmd.exe
992	MSBuild.exe
992	MSBuild.exe
992	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2632	Mp3tag.exe
2616	cmd.exe
2616	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
992	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2668	2796	file.exe	29
PID 2796 wrote to memory of 2668	2796	file.exe	29
PID 2796 wrote to memory of 2668	2796	file.exe	29
PID 2668 wrote to memory of 2632	2668	Mp3tag.exe	30
PID 2668 wrote to memory of 2632	2668	Mp3tag.exe	30
PID 2668 wrote to memory of 2632	2668	Mp3tag.exe	30
PID 2632 wrote to memory of 2616	2632	Mp3tag.exe	31
PID 2632 wrote to memory of 2616	2632	Mp3tag.exe	31
PID 2632 wrote to memory of 2616	2632	Mp3tag.exe	31
PID 2632 wrote to memory of 2616	2632	Mp3tag.exe	31
PID 2632 wrote to memory of 2616	2632	Mp3tag.exe	31
PID 2616 wrote to memory of 992	2616	cmd.exe	33
PID 2616 wrote to memory of 992	2616	cmd.exe	33
PID 2616 wrote to memory of 992	2616	cmd.exe	33
PID 2616 wrote to memory of 992	2616	cmd.exe	33
PID 2616 wrote to memory of 992	2616	cmd.exe	33
PID 2616 wrote to memory of 992	2616	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe
  "C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\Downloadplugin\Mp3tag.exe
    C:\Users\Admin\AppData\Roaming\Downloadplugin\Mp3tag.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d9ca84b

Filesize
1.4MB

MD5
22c03c59514004a437b0598739269076

SHA1
408039582038742b5e9295e62ff9f157effa6476

SHA256
6410c7142b62fcc6ec494dac2675b8219494e3a9138ae280ec092bddf755685b

SHA512
fb9004b707bf404e60c3066ec95798f39014b465177472f7fe0b08ef2bcfe74bc17c98c87dadab2f13b5611fcb38d0fca9d86161dac7787f665f7bdaf5a1261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe

Filesize
12.0MB

MD5
a7118dffeac3772076f1a39a364d608d

SHA1
6b984d9446f23579e154ec47437b9cf820fd6b67

SHA256
f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0

SHA512
f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\fgq

Filesize
1.2MB

MD5
f6461ccd814a2ead19beeba2125b5368

SHA1
449ede26eeb5234f02a9d4b5a19fa7b6ffc4a1df

SHA256
8fb4e6d589830f39db50877b542b11281e56762caaa2742719b2ac042dd6cbd1

SHA512
fa8c7368597d79451fc47447ea1ac9e831b2b7835c6542a161bd74b0084da66fff4ac0555dce0eea64630887a2d953674125b1e2e9295a37b7bac678dc606fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\tak_deco_lib.dll

Filesize
315KB

MD5
ee7f11beaf317ef7185b0cec9a8ccff4

SHA1
274ebb8d1adfa6d49e1d3fc85cf942357c8a7653

SHA256
6c2d0a8831e82fc3889e94ef3e986660e38175ae406fea5a66e3d1f5c014ee97

SHA512
cdeec3fbd4eff63f64aad6559c36654416afae5e7314df1a756580dc52b6024c52f0f3803356b85d2095dfc136de9234271a14ec843af3cf3836b67bb30362b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\ymv

Filesize
14KB

MD5
c40639e251f6f49d3f4c140cd1fc3d9c

SHA1
7f531f2ad30f3bf2f637cea7087f3e432cc54adf

SHA256
2481d67eeef5025767464e90969c913f198eaa8171f8ebb8e61cd92ca880293f

SHA512
d327399a1fb31203fd1b8aa991369da907a4538bd77f69b0fc6568221cc3099300437d8e5f3f959c501ffcef2e728971f33e2fcf0d453e96a84458a23abb9480

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8864.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
memory/992-86-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/992-88-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/992-85-0x00000000727D0000-0x0000000073832000-memory.dmp

Filesize
16.4MB

Download
memory/992-87-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-36-0x0000000077250000-0x00000000773F9000-memory.dmp

Filesize
1.7MB

Download
memory/2616-83-0x00000000749A0000-0x0000000074B14000-memory.dmp

Filesize
1.5MB

Download
memory/2632-34-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2632-32-0x000007FEF6070000-0x000007FEF61C8000-memory.dmp

Filesize
1.3MB

Download
memory/2632-31-0x000007FEF6070000-0x000007FEF61C8000-memory.dmp

Filesize
1.3MB

Download
memory/2668-26-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2668-17-0x000007FEF69B0000-0x000007FEF6B08000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing