Overview

overview

10

Static

static

10

run.ps1

windows7-x64

8

run.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    run.ps1

  • Size

    78B

  • Sample

    250219-12t2wazqgp

  • MD5

    ad7d32c157ff297097b71dad926dd515

  • SHA1

    15904b197df005446e2adeb4d4786d23edd91e48

  • SHA256

    3480c3e63090688dd4a92dd0e8cab335a6a177e1704f725b41d50baf875b67f4

  • SHA512

    9cb9616edc4223dcbbbf7a5f4b43a4a5656912bf2510ef8e8cdf18786031b7c80e3e9cc19931b7046bb2b7d8a59bd3b8909699fd72bfce9865ffbcdb0ea20bbb

Score
10/10
sectopratdiscoveryexecutionrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://45.61.157.205/17/ten

Targets

    • Target

      run.ps1

    • Size

      78B

    • MD5

      ad7d32c157ff297097b71dad926dd515

    • SHA1

      15904b197df005446e2adeb4d4786d23edd91e48

    • SHA256

      3480c3e63090688dd4a92dd0e8cab335a6a177e1704f725b41d50baf875b67f4

    • SHA512

      9cb9616edc4223dcbbbf7a5f4b43a4a5656912bf2510ef8e8cdf18786031b7c80e3e9cc19931b7046bb2b7d8a59bd3b8909699fd72bfce9865ffbcdb0ea20bbb

    Score
    10/10
    executionsectopratdiscoveryrattrojan

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks