sectoprat | a42611665806c5056faf4d5cfeadf98878d8132243b2097ef13ba7fcfab22c0b

General

Target

dobi.exe
Size

9.6MB
MD5

a439025e40533f6e78c74fe8e9ce9875
SHA1

6ae40c35d089fd05b521affda29c205effdf9928
SHA256

a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f
SHA512

a2e22c32a1b6c50cfef234a7fe9581df516d3b7129645d64ffb16652a4dc757294aa5ccdae2a3c1a530c71251abeeb73356ca4f6b33b73fdd7cac2161a16d84b
SSDEEP

98304:RkLpZuLG6phE8B5ICZu0yYfq3TTLJB7foR:6Lp4GeENIKYR

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2608-26-0x0000000000400000-0x00000000004C6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 2884	1580	dobi.exe	30
PID 2884 set thread context of 2608	2884	more.com	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1580	dobi.exe
1580	dobi.exe
2884	more.com
2884	more.com

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1580	dobi.exe
2884	more.com
2884	more.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2884	1580	dobi.exe	30
PID 1580 wrote to memory of 2884	1580	dobi.exe	30
PID 1580 wrote to memory of 2884	1580	dobi.exe	30
PID 1580 wrote to memory of 2884	1580	dobi.exe	30
PID 1580 wrote to memory of 2884	1580	dobi.exe	30
PID 2884 wrote to memory of 2608	2884	more.com	32
PID 2884 wrote to memory of 2608	2884	more.com	32
PID 2884 wrote to memory of 2608	2884	more.com	32
PID 2884 wrote to memory of 2608	2884	more.com	32
PID 2884 wrote to memory of 2608	2884	more.com	32
PID 2884 wrote to memory of 2608	2884	more.com	32

C:\Users\Admin\AppData\Local\Temp\dobi.exe
"C:\Users\Admin\AppData\Local\Temp\dobi.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f2bfec00

Filesize
1.6MB

MD5
9e31991a93a6c781884e89a8572f5ea0

SHA1
4b83364234b879525ce91bbaa5226e91749491ed

SHA256
ecb718af37ec5b9c8b6a1f5aa535df409cad971852b01da72dfa3950dd51693a

SHA512
1d8da914fe1f7a164696b52b4d1fab12bb4defe0e09c94f862edad3e2bd7727a5004df362280ca47b7cc8a1ca6c8d3ec39a6b4d90e77779ce609c35e004e436f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa1d6beb

Filesize
1.4MB

MD5
f8fbe390dd69f00da3e9c3bb0fb5511e

SHA1
fc82ad77d1cc80935ad060785197feeedbda103e

SHA256
fe527d074be47d4683d1e84fbcd87353b3c50899ac57823e63065343097e9722

SHA512
b4508167e1a07e4ad4eb5feec5e4b5346bd13af7d376d4a9292b838615ca19600c6fed8cd43f09ea2c4382602d915dcf7575b200e3dd5fc4b62c4b8c588408a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6089.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
memory/1580-8-0x000007FEFE119000-0x000007FEFE11A000-memory.dmp

Filesize
4KB

Download
memory/1580-9-0x000007FEFE100000-0x000007FEFEE88000-memory.dmp

Filesize
13.5MB

Download
memory/1580-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1580-12-0x000007FEFE100000-0x000007FEFEE88000-memory.dmp

Filesize
13.5MB

Download
memory/1580-7-0x000007FEFE100000-0x000007FEFEE88000-memory.dmp

Filesize
13.5MB

Download
memory/1580-1-0x00000000013B0000-0x0000000001D7E000-memory.dmp

Filesize
9.8MB

Download
memory/1580-0-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2608-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-26-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2608-22-0x0000000074850000-0x00000000748E7000-memory.dmp

Filesize
604KB

Download
memory/2608-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-19-0x000000007536E000-0x0000000075370000-memory.dmp

Filesize
8KB

Download
memory/2884-23-0x0000000075360000-0x0000000075FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2884-20-0x0000000075360000-0x0000000075FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2884-18-0x0000000075360000-0x0000000075FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2884-16-0x0000000077370000-0x0000000077519000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing