General

  • Target

    f2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808N.exe

  • Size

    1.6MB

  • Sample

    241220-f2pf6s1jcx

  • MD5

    8802e10d9b969bd59b7b690ff39b0cc0

  • SHA1

    7e70b9013793ed8a94132bd8684b41574b7bd719

  • SHA256

    f2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808

  • SHA512

    c43f847960911753496365e5b2835099f318d2b991b73c836807011344dc3188f86522495c86eea432b983dba10d10aba3696d1a38f28de8ec9ab9aa271d8b0c

  • SSDEEP

    24576:birlpbr7vGzSbmCC9KST7KddYMhC9dQNz+8pUosGOaCjQoM6XKApF14IeZcCzhK0:47X7vGlCC91T7KdrhC9i4SmIIe1dKSBj

Malware Config

Targets

    • Target

      f2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808N.exe

    • Size

      1.6MB

    • MD5

      8802e10d9b969bd59b7b690ff39b0cc0

    • SHA1

      7e70b9013793ed8a94132bd8684b41574b7bd719

    • SHA256

      f2a8840778484a56f1215f0fa8f6e8b0fb805fce99e62c01ff0a1f541f1d6808

    • SHA512

      c43f847960911753496365e5b2835099f318d2b991b73c836807011344dc3188f86522495c86eea432b983dba10d10aba3696d1a38f28de8ec9ab9aa271d8b0c

    • SSDEEP

      24576:birlpbr7vGzSbmCC9KST7KddYMhC9dQNz+8pUosGOaCjQoM6XKApF14IeZcCzhK0:47X7vGlCC91T7KdrhC9i4SmIIe1dKSBj

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Sectoprat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks