sectoprat | a42611665806c5056faf4d5cfeadf98878d8132243b2097ef13ba7fcfab22c0b

General

Target

dobi.exe
Size

9.6MB
MD5

a439025e40533f6e78c74fe8e9ce9875
SHA1

6ae40c35d089fd05b521affda29c205effdf9928
SHA256

a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f
SHA512

a2e22c32a1b6c50cfef234a7fe9581df516d3b7129645d64ffb16652a4dc757294aa5ccdae2a3c1a530c71251abeeb73356ca4f6b33b73fdd7cac2161a16d84b
SSDEEP

98304:RkLpZuLG6phE8B5ICZu0yYfq3TTLJB7foR:6Lp4GeENIKYR

Score

10^/10

sectoprat discovery rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2872-30-0x0000000001100000-0x00000000011C6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 4828	3116	dobi.exe	83
PID 4828 set thread context of 2872	4828	more.com	102

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3116	dobi.exe
3116	dobi.exe
4828	more.com
4828	more.com
2872	MSBuild.exe
2872	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3116	dobi.exe
4828	more.com
4828	more.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2872	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4828	3116	dobi.exe	83
PID 3116 wrote to memory of 4828	3116	dobi.exe	83
PID 3116 wrote to memory of 4828	3116	dobi.exe	83
PID 3116 wrote to memory of 4828	3116	dobi.exe	83
PID 4828 wrote to memory of 2872	4828	more.com	102
PID 4828 wrote to memory of 2872	4828	more.com	102
PID 4828 wrote to memory of 2872	4828	more.com	102
PID 4828 wrote to memory of 2872	4828	more.com	102
PID 4828 wrote to memory of 2872	4828	more.com	102

C:\Users\Admin\AppData\Local\Temp\dobi.exe
"C:\Users\Admin\AppData\Local\Temp\dobi.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\379ff019

Filesize
1.6MB

MD5
9e31991a93a6c781884e89a8572f5ea0

SHA1
4b83364234b879525ce91bbaa5226e91749491ed

SHA256
ecb718af37ec5b9c8b6a1f5aa535df409cad971852b01da72dfa3950dd51693a

SHA512
1d8da914fe1f7a164696b52b4d1fab12bb4defe0e09c94f862edad3e2bd7727a5004df362280ca47b7cc8a1ca6c8d3ec39a6b4d90e77779ce609c35e004e436f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c5e1aa7

Filesize
1.4MB

MD5
d66b438e8d9aae44ca621cb6cf028dfe

SHA1
10f960c2e583e418ee7f0602b4c3636b344fe043

SHA256
ac6e04f5bf5fadbb46de0fa13fac5532baa56099899a00b4a1141c065b999079

SHA512
64de61392901561fcc0e9b11586c9621f1879343725e7b09a5f2b356a6fddaca8296750f673f3a605ba142a61e9347bd12af5fb146fdcad3e78edb699d382281

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2132.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/2872-29-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

Filesize
4KB

Download
memory/2872-32-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/2872-39-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/2872-30-0x0000000001100000-0x00000000011C6000-memory.dmp

Filesize
792KB

Download
memory/2872-38-0x00000000068E0000-0x0000000006E0C000-memory.dmp

Filesize
5.2MB

Download
memory/2872-37-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download
memory/2872-36-0x0000000005790000-0x00000000057E0000-memory.dmp

Filesize
320KB

Download
memory/2872-31-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/2872-57-0x0000000005BD0000-0x0000000005C0C000-memory.dmp

Filesize
240KB

Download
memory/2872-35-0x00000000057F0000-0x0000000005866000-memory.dmp

Filesize
472KB

Download
memory/2872-56-0x0000000005B10000-0x0000000005B22000-memory.dmp

Filesize
72KB

Download
memory/2872-55-0x0000000073E70000-0x0000000074620000-memory.dmp

Filesize
7.7MB

Download
memory/2872-24-0x0000000074730000-0x0000000074744000-memory.dmp

Filesize
80KB

Download
memory/2872-40-0x0000000006640000-0x00000000066A6000-memory.dmp

Filesize
408KB

Download
memory/2872-54-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

Filesize
4KB

Download
memory/2872-34-0x0000000073E70000-0x0000000074620000-memory.dmp

Filesize
7.7MB

Download
memory/2872-33-0x0000000005940000-0x0000000005B02000-memory.dmp

Filesize
1.8MB

Download
memory/2872-53-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

Filesize
40KB

Download
memory/3116-1-0x0000000000800000-0x00000000011CE000-memory.dmp

Filesize
9.8MB

Download
memory/3116-10-0x000001CC12F20000-0x000001CC12F21000-memory.dmp

Filesize
4KB

Download
memory/3116-0-0x000001CC12F20000-0x000001CC12F21000-memory.dmp

Filesize
4KB

Download
memory/3116-8-0x00007FFA41CC9000-0x00007FFA41CCA000-memory.dmp

Filesize
4KB

Download
memory/3116-7-0x00007FFA41CB0000-0x00007FFA423EF000-memory.dmp

Filesize
7.2MB

Download
memory/3116-13-0x00007FFA41CB0000-0x00007FFA423EF000-memory.dmp

Filesize
7.2MB

Download
memory/3116-12-0x00007FFA41CC9000-0x00007FFA41CCA000-memory.dmp

Filesize
4KB

Download
memory/3116-9-0x00007FFA41CB0000-0x00007FFA423EF000-memory.dmp

Filesize
7.2MB

Download
memory/4828-21-0x00000000765FE000-0x0000000076600000-memory.dmp

Filesize
8KB

Download
memory/4828-27-0x00000000765F0000-0x0000000076BA3000-memory.dmp

Filesize
5.7MB

Download
memory/4828-17-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/4828-28-0x0000000003070000-0x0000000003623000-memory.dmp

Filesize
5.7MB

Download
memory/4828-20-0x00000000765F0000-0x0000000076BA3000-memory.dmp

Filesize
5.7MB

Download
memory/4828-22-0x00000000765F0000-0x0000000076BA3000-memory.dmp

Filesize
5.7MB

Download
memory/4828-19-0x0000000003070000-0x0000000003623000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing