sectoprat | ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe
Size

55.0MB
MD5

abdc1a46baac2dcd5bb559cd0837f197
SHA1

6a14fd1ebe171f3de1d1d61b7f51b7205d1fdb7d
SHA256

ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848
SHA512

98dc6074d6a527693e37324ddc1cc6926c07c0f11bb96ecdf3bdde41889281f5bde208d6901567cab0d6199c39806abb5bc2c73e199aef31a281f4a5f1df15d6
SSDEEP

1572864:q1jtZHyiLYnqk/tir8sBrDRDZhazK7tDboe0l:OjvHydqk5cn7hazO5b0l

Score

10^/10

sectoprat discovery rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2484-260-0x0000000000240000-0x000000000030A000-memory.dmp	family_sectoprat
behavioral1/memory/2484-262-0x0000000004A40000-0x0000000004B06000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flyvpn.exe.lnk	04.tmp

Executes dropped EXE 6 IoCs

pid	Process
2120	08.part01.exe
1536	04.exe
300	04.tmp
3052	04.exe
1780	04.tmp
2484	flyvpn.exe

Loads dropped DLL 13 IoCs

pid	Process
2472	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe
2472	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe
2472	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe
2120	08.part01.exe
2120	08.part01.exe
2120	08.part01.exe
2120	08.part01.exe
1536	04.exe
300	04.tmp
300	04.tmp
3052	04.exe
1780	04.tmp
1780	04.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com
8	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flyvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08.part01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1780	04.tmp
1780	04.tmp
2484	flyvpn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	flyvpn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1780	04.tmp

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2120	2472	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe	31
PID 2472 wrote to memory of 2120	2472	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe	31
PID 2472 wrote to memory of 2120	2472	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe	31
PID 2472 wrote to memory of 2120	2472	ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe	31
PID 2120 wrote to memory of 1536	2120	08.part01.exe	32
PID 2120 wrote to memory of 1536	2120	08.part01.exe	32
PID 2120 wrote to memory of 1536	2120	08.part01.exe	32
PID 2120 wrote to memory of 1536	2120	08.part01.exe	32
PID 2120 wrote to memory of 1536	2120	08.part01.exe	32
PID 2120 wrote to memory of 1536	2120	08.part01.exe	32
PID 2120 wrote to memory of 1536	2120	08.part01.exe	32
PID 1536 wrote to memory of 300	1536	04.exe	33
PID 1536 wrote to memory of 300	1536	04.exe	33
PID 1536 wrote to memory of 300	1536	04.exe	33
PID 1536 wrote to memory of 300	1536	04.exe	33
PID 1536 wrote to memory of 300	1536	04.exe	33
PID 1536 wrote to memory of 300	1536	04.exe	33
PID 1536 wrote to memory of 300	1536	04.exe	33
PID 300 wrote to memory of 3052	300	04.tmp	34
PID 300 wrote to memory of 3052	300	04.tmp	34
PID 300 wrote to memory of 3052	300	04.tmp	34
PID 300 wrote to memory of 3052	300	04.tmp	34
PID 300 wrote to memory of 3052	300	04.tmp	34
PID 300 wrote to memory of 3052	300	04.tmp	34
PID 300 wrote to memory of 3052	300	04.tmp	34
PID 3052 wrote to memory of 1780	3052	04.exe	35
PID 3052 wrote to memory of 1780	3052	04.exe	35
PID 3052 wrote to memory of 1780	3052	04.exe	35
PID 3052 wrote to memory of 1780	3052	04.exe	35
PID 3052 wrote to memory of 1780	3052	04.exe	35
PID 3052 wrote to memory of 1780	3052	04.exe	35
PID 3052 wrote to memory of 1780	3052	04.exe	35
PID 1780 wrote to memory of 2484	1780	04.tmp	36
PID 1780 wrote to memory of 2484	1780	04.tmp	36
PID 1780 wrote to memory of 2484	1780	04.tmp	36
PID 1780 wrote to memory of 2484	1780	04.tmp	36

C:\Users\Admin\AppData\Local\Temp\ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe
"C:\Users\Admin\AppData\Local\Temp\ed56c4c1bf05d9d47ec9b177384ac8b844e109dcaa12e7c1c1661ba53144c848.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Public\Pictures\08.part01.exe
  "C:\Users\Public\Pictures\08.part01.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Public\Pictures\04.exe
    "C:\Users\Public\Pictures\04.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\is-K2GAC.tmp\04.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-K2GAC.tmp\04.tmp" /SL5="$600F8,14420606,121344,C:\Users\Public\Pictures\04.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:300
    - - C:\Users\Public\Pictures\04.exe
        
        "C:\Users\Public\Pictures\04.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\is-FBVG5.tmp\04.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FBVG5.tmp\04.tmp" /SL5="$B0192,14420606,121344,C:\Users\Public\Pictures\04.exe" /VERYSILENT
        6⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\reclosable\flyvpn.exe
        
        "C:\Users\Admin\AppData\Local\reclosable\flyvpn.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-K2GAC.tmp\04.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
C:\Users\Public\Pictures\08.part02.rar

Filesize
5.0MB

MD5
f8b39d3da4719f12e9ae431f00d737d6

SHA1
bb0e0b77506f5dbadf83b8f6ea554884e75065f0

SHA256
6a2ffc997171843869c3e02a7402839524765ccf6bf39f5c2ee61a7cbe99a343

SHA512
fb2bc7e7e51e72e38790d375c342f908deb058d69d8e5c8bfb8dafbb3aae6afecbce688cc304cc84eda0e02794362b70efca1b4832f13180550e0f7ecb933b6c

Download Submit
C:\Users\Public\Pictures\08.part03.rar

Filesize
5.0MB

MD5
744d16aa110dec53c3c452b2ceca46e0

SHA1
0a6b0829213ae16c36daad98dc2b9402bd0c3f4e

SHA256
f447b4e62a00b5929b415379e3e4ba0b30d45c50675e0e4436ca3134cb12c39a

SHA512
484359e591edd06f9f01b6d6f9273780bd5115aeab8847020f898ceb5f2c8508127943c199550d03906c15cc2a2dc141fbd549968cd7c4135bc1fb2e4bda4dfd

Download Submit
C:\Users\Public\Pictures\08.part04.rar

Filesize
5.0MB

MD5
e81fbd4c0f7a1f0706d264a81f9d9566

SHA1
e1f6514fff4faacfbb65ab7cf098f22eb79a6ba7

SHA256
66b1d46e712cb95292dba4fa81fb1d28877893d6d1f5305501b29d33a9de5274

SHA512
069ad24dbba2feda06d7b7459f9c660307f88be36f894601c7821f5d19d92bb2082d1a0efdb5d6bddae71b295a05fff3e792f09fa260b8cb684f72d883dc5ebf

Download Submit
C:\Users\Public\Pictures\08.part05.rar

Filesize
5.0MB

MD5
18257b2de13c3c0d0b363de09d1fd952

SHA1
78cd7d301e8a9ba5eaa2dba1c037704053076774

SHA256
286a3678facd4b0ffef5c4ed4f51be39d89646ababe0451cbf1e22e81f7784a5

SHA512
9ff87c4bad5acbcdb294eba59a299ac894c1c45c49684a0876bd279ba2f61a71a1fe34e82df0a71c0b0e41d1fa7cb54a2fd8bfbdd1f0e3711097b1dd41502afd

Download Submit
C:\Users\Public\Pictures\08.part06.rar

Filesize
5.0MB

MD5
d89f90a138e01ce9c3d95912cc5ba475

SHA1
14e15406cc37beaeed180de71c766a56dac44f27

SHA256
a57af80c71db3e88a6375327dd11664be4b314cec893100b7d1e1daeddba045c

SHA512
2a1bf61d26f7e28b4bf01aa54fe0c8eaefcbecb5cddd9de10cdbcb800cd542beaccb2a0f3c852008247f4cb8efe59927e2bd761d6a025a4ab98f2049798d65c5

Download Submit
C:\Users\Public\Pictures\08.part07.rar

Filesize
5.0MB

MD5
ac5e21979b1cd48617f009c92ce28e4a

SHA1
9780727b8a79da37dfc5adc839254597f1252a4e

SHA256
f5992855d2dcfd4095dc5ac68935be96a5a266783705d6da562b14e148cc25a8

SHA512
a47a885bbd8c49335d2e43d746efb3445b84915b14c637e08dc9a2f81447d607b26f1d714fa4fb7a52a3c20399fc8175c01341e1bc88572d2f61f3558c368f29

Download Submit
C:\Users\Public\Pictures\08.part08.rar

Filesize
5.0MB

MD5
867337871bdf34ca6269afb069ee1218

SHA1
31b924f4f589b32f0c920c71c60e3a3c41085d4e

SHA256
5ecc451dce4c1ca7e6ec115c1dc6a307011e3ff7716d54af86f3e1acc73b6ede

SHA512
ada35b74a186458b361f5a1e7d360d99394d89302af38781bc4df4c47bed27843a644e75dac40a155ff39c2afcaaafa56765fe8fe389bef0bc4134d21e7bcf1f

Download Submit
C:\Users\Public\Pictures\08.part09.rar

Filesize
5.0MB

MD5
316985932dd9b118c90dacba28ba9502

SHA1
9bc7253b5cfb9f9a51fb6b89ba58d3ef940c9b10

SHA256
2c8dfb90ebf24fd0354694074948c4ad9263b8ef9407ad3bb73d81eb7296335a

SHA512
aa0e2bfa48d16a7d0a66c45d359d982e6dc966cfd4e94472f7c642a1f8eb33067d1785990ed6e17d0fca3560dd114e437db35b9c1013ac11aae4fdd41c3e24d5

Download Submit
C:\Users\Public\Pictures\08.part10.rar

Filesize
5.0MB

MD5
151317c6466c52eaa47cf3d591024436

SHA1
ed41fd6e61ad5c8312ad2fc2f3a83cda3d1ee590

SHA256
d0428f3c138bea9cb1547d88e81c7bf2f1e017f1e2b0191865a5b1ff5580dc50

SHA512
4436001f7a9ddf5a9cfd21a1a5bfd62943e83cdceba4cc98c5a04be608dfe7387940f6934a0a572e56975e0d291f7ad97f9bf59c602489f025c443685b56d413

Download Submit
C:\Users\Public\Pictures\08.part11.rar

Filesize
4.9MB

MD5
9c18d1fe7b0a7caad6140b473618f1c2

SHA1
5e96a27f9241745db61110cda119c77987fd3b97

SHA256
df8fe0e30eacfa2f2089d146088cdeff71317094c6f9d4e0f29e9c9279160804

SHA512
cd946ee424203f4f26f48632a737c4e28ba42109c823c3a66065731b3a1c17ae480ff3e251aee935c18719a0dd60e1ed05a0ebdf0984a7dea02ea1f00594645f

Download Submit
\Users\Admin\AppData\Local\Temp\is-1JV9T.tmp\_isetup\_isdecmp.dll

Filesize
29KB

MD5
fd4743e2a51dd8e0d44f96eae1853226

SHA1
646cef384e949aaf61e6d0b243d8d84ab04e79b7

SHA256
6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

SHA512
4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

Download Submit
\Users\Admin\AppData\Local\reclosable\flyvpn.exe

Filesize
13.9MB

MD5
4d8e624f384094c048f779b9bb94a3bb

SHA1
d81dca9f8165c915d88c9cc4c645f296198dc95e

SHA256
1d40788ce56c4cafdd19ae5f2b567e51234a32fa179ec8fba45452dd46b4fab1

SHA512
ae0294b02a073cff03d0272c74da2157807305d38993b91285a29b7ae000600324ae822fe6ee1e5986a87fdd7838979d84eda9d6b2499b28000f5d7586d34c47

Download Submit
\Users\Public\Pictures\04.exe

Filesize
17.3MB

MD5
2d5f24f25ed215dcd5b36a471f443633

SHA1
647c48f00951f83a0df41473898aeb703f044b53

SHA256
8777be6a537392b72fae3846d7f249cc64caa5ca9eff09f096270c0b6479dc63

SHA512
2e3869728d6922beacc1f8ca76afe530416942b084e6618f87bc38ecedb1154096e7c1b039c569d8f530372ac26b33f955960e1aa32914db3ac3539f20531ca1

Download Submit
\Users\Public\Pictures\08.part01.exe

Filesize
5.0MB

MD5
9507592f75450f7cda251c5cd1978d0f

SHA1
c0afa3fd5448b769b3dc7eb5ae8f6b2f5b5f4c36

SHA256
4ed0eebe48b90ae8906a2a618e536359f23c8e5aac0acfb65399f448db18c747

SHA512
6d39f0809a92dcff9ea515e12f24b48259c9da173588b1e618f59517aad53ab0941f9d03eab160ba577934ca43407b1aff88073e33d0b74c9de148bc4709206d

Download Submit
memory/300-235-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1536-219-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1536-248-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1780-259-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2484-260-0x0000000000240000-0x000000000030A000-memory.dmp

Filesize
808KB

Download
memory/2484-262-0x0000000004A40000-0x0000000004B06000-memory.dmp

Filesize
792KB

Download
memory/3052-236-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-258-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download