sectoprat | a42611665806c5056faf4d5cfeadf98878d8132243b2097ef13ba7fcfab22c0b

General

Target

dobi.exe
Size

9.6MB
MD5

a439025e40533f6e78c74fe8e9ce9875
SHA1

6ae40c35d089fd05b521affda29c205effdf9928
SHA256

a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f
SHA512

a2e22c32a1b6c50cfef234a7fe9581df516d3b7129645d64ffb16652a4dc757294aa5ccdae2a3c1a530c71251abeeb73356ca4f6b33b73fdd7cac2161a16d84b
SSDEEP

98304:RkLpZuLG6phE8B5ICZu0yYfq3TTLJB7foR:6Lp4GeENIKYR

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2056-27-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 2836	2756	dobi.exe	30
PID 2836 set thread context of 2056	2836	more.com	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2756	dobi.exe
2756	dobi.exe
2836	more.com
2836	more.com
2056	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2756	dobi.exe
2836	more.com
2836	more.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2056	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2836	2756	dobi.exe	30
PID 2756 wrote to memory of 2836	2756	dobi.exe	30
PID 2756 wrote to memory of 2836	2756	dobi.exe	30
PID 2756 wrote to memory of 2836	2756	dobi.exe	30
PID 2756 wrote to memory of 2836	2756	dobi.exe	30
PID 2836 wrote to memory of 2056	2836	more.com	32
PID 2836 wrote to memory of 2056	2836	more.com	32
PID 2836 wrote to memory of 2056	2836	more.com	32
PID 2836 wrote to memory of 2056	2836	more.com	32
PID 2836 wrote to memory of 2056	2836	more.com	32
PID 2836 wrote to memory of 2056	2836	more.com	32

C:\Users\Admin\AppData\Local\Temp\dobi.exe
"C:\Users\Admin\AppData\Local\Temp\dobi.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e8f245dd

Filesize
1.6MB

MD5
9e31991a93a6c781884e89a8572f5ea0

SHA1
4b83364234b879525ce91bbaa5226e91749491ed

SHA256
ecb718af37ec5b9c8b6a1f5aa535df409cad971852b01da72dfa3950dd51693a

SHA512
1d8da914fe1f7a164696b52b4d1fab12bb4defe0e09c94f862edad3e2bd7727a5004df362280ca47b7cc8a1ca6c8d3ec39a6b4d90e77779ce609c35e004e436f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb70e3f7

Filesize
1.4MB

MD5
c2f05ff6d3b1ae8ac48faa43a71a7092

SHA1
ec76668052a3728df27f23f2ab486ce318b25ac2

SHA256
c0dea94b563be943c15bddb6ed585c923c545493e94e465ee07646df51747457

SHA512
5e94e0686abaa3e2a7edc00843fe9d2b0526bc477153b6e9fe03182fc61b8791cca6d3d1172faa79e463896cf1474ece43f199a9f93581daaadc0974c6c57d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57C3.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
memory/2056-27-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2056-23-0x00000000748C0000-0x0000000074957000-memory.dmp

Filesize
604KB

Download
memory/2056-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-8-0x000007FEFDF39000-0x000007FEFDF3A000-memory.dmp

Filesize
4KB

Download
memory/2756-16-0x000007FEFDF20000-0x000007FEFECA8000-memory.dmp

Filesize
13.5MB

Download
memory/2756-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2756-9-0x000007FEFDF20000-0x000007FEFECA8000-memory.dmp

Filesize
13.5MB

Download
memory/2756-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2756-7-0x000007FEFDF20000-0x000007FEFECA8000-memory.dmp

Filesize
13.5MB

Download
memory/2756-1-0x0000000001040000-0x0000000001A0E000-memory.dmp

Filesize
9.8MB

Download
memory/2836-17-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2836-20-0x000000007505E000-0x0000000075060000-memory.dmp

Filesize
8KB

Download
memory/2836-19-0x0000000075050000-0x0000000075C9A000-memory.dmp

Filesize
12.3MB

Download
memory/2836-21-0x0000000075050000-0x0000000075C9A000-memory.dmp

Filesize
12.3MB

Download
memory/2836-24-0x0000000075050000-0x0000000075C9A000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing