sectoprat | a42611665806c5056faf4d5cfeadf98878d8132243b2097ef13ba7fcfab22c0b

General

Target

dobi.exe
Size

9.6MB
MD5

a439025e40533f6e78c74fe8e9ce9875
SHA1

6ae40c35d089fd05b521affda29c205effdf9928
SHA256

a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f
SHA512

a2e22c32a1b6c50cfef234a7fe9581df516d3b7129645d64ffb16652a4dc757294aa5ccdae2a3c1a530c71251abeeb73356ca4f6b33b73fdd7cac2161a16d84b
SSDEEP

98304:RkLpZuLG6phE8B5ICZu0yYfq3TTLJB7foR:6Lp4GeENIKYR

Score

10^/10

sectoprat discovery rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4304-30-0x00000000009A0000-0x0000000000A66000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 3100	2176	dobi.exe	83
PID 3100 set thread context of 4304	3100	more.com	101

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2176	dobi.exe
2176	dobi.exe
3100	more.com
3100	more.com
4304	MSBuild.exe
4304	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2176	dobi.exe
3100	more.com
3100	more.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4304	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3100	2176	dobi.exe	83
PID 2176 wrote to memory of 3100	2176	dobi.exe	83
PID 2176 wrote to memory of 3100	2176	dobi.exe	83
PID 2176 wrote to memory of 3100	2176	dobi.exe	83
PID 3100 wrote to memory of 4304	3100	more.com	101
PID 3100 wrote to memory of 4304	3100	more.com	101
PID 3100 wrote to memory of 4304	3100	more.com	101
PID 3100 wrote to memory of 4304	3100	more.com	101
PID 3100 wrote to memory of 4304	3100	more.com	101

C:\Users\Admin\AppData\Local\Temp\dobi.exe
"C:\Users\Admin\AppData\Local\Temp\dobi.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d2a9d304

Filesize
1.6MB

MD5
9e31991a93a6c781884e89a8572f5ea0

SHA1
4b83364234b879525ce91bbaa5226e91749491ed

SHA256
ecb718af37ec5b9c8b6a1f5aa535df409cad971852b01da72dfa3950dd51693a

SHA512
1d8da914fe1f7a164696b52b4d1fab12bb4defe0e09c94f862edad3e2bd7727a5004df362280ca47b7cc8a1ca6c8d3ec39a6b4d90e77779ce609c35e004e436f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d906165a

Filesize
1.4MB

MD5
024f272546c45dc2443048a9ed49c645

SHA1
6eba82fce9d0426e5f9c307ed1a48b7d232237b5

SHA256
9c67f14d4469cf65d63a00c1125f24519cda0ae468587d0be6176ae7c0038c9e

SHA512
0fe2a0682f2c16e96f84d77d8631e1f5f7a997f95d0fb8ea167bf9a996d0542baa8d24dfc1f5b9e07acf99630c7ef68de0731cf5d888f1a13303a38040ad3d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B37.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/2176-13-0x00007FFF4D600000-0x00007FFF4DD3F000-memory.dmp

Filesize
7.2MB

Download
memory/2176-1-0x00000000004B0000-0x0000000000E7E000-memory.dmp

Filesize
9.8MB

Download
memory/2176-9-0x00007FFF4D600000-0x00007FFF4DD3F000-memory.dmp

Filesize
7.2MB

Download
memory/2176-10-0x000002C28FD50000-0x000002C28FD51000-memory.dmp

Filesize
4KB

Download
memory/2176-12-0x00007FFF4D619000-0x00007FFF4D61A000-memory.dmp

Filesize
4KB

Download
memory/2176-0-0x000002C28FD50000-0x000002C28FD51000-memory.dmp

Filesize
4KB

Download
memory/2176-7-0x00007FFF4D600000-0x00007FFF4DD3F000-memory.dmp

Filesize
7.2MB

Download
memory/2176-8-0x00007FFF4D619000-0x00007FFF4D61A000-memory.dmp

Filesize
4KB

Download
memory/3100-17-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-21-0x000000007766E000-0x0000000077670000-memory.dmp

Filesize
8KB

Download
memory/3100-20-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/3100-22-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/3100-19-0x0000000003020000-0x00000000035D3000-memory.dmp

Filesize
5.7MB

Download
memory/3100-27-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/3100-28-0x0000000003020000-0x00000000035D3000-memory.dmp

Filesize
5.7MB

Download
memory/4304-29-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/4304-30-0x00000000009A0000-0x0000000000A66000-memory.dmp

Filesize
792KB

Download
memory/4304-31-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/4304-32-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/4304-33-0x00000000051F0000-0x00000000053B2000-memory.dmp

Filesize
1.8MB

Download
memory/4304-34-0x00000000050A0000-0x0000000005116000-memory.dmp

Filesize
472KB

Download
memory/4304-35-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4304-36-0x0000000005040000-0x0000000005090000-memory.dmp

Filesize
320KB

Download
memory/4304-37-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/4304-38-0x00000000061B0000-0x00000000066DC000-memory.dmp

Filesize
5.2MB

Download
memory/4304-39-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/4304-40-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/4304-24-0x0000000075420000-0x0000000075434000-memory.dmp

Filesize
80KB

Download
memory/4304-53-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/4304-54-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/4304-55-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4304-56-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/4304-57-0x0000000005480000-0x00000000054BC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing