Overview

overview

10

Static

static

1

wEotIbaw.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wEotIbaw.ps1

  • Size

    14.7MB

  • Sample

    250326-rl356sylv3

  • MD5

    995596f28f9a7d8543795fa3783c5417

  • SHA1

    26bdb7edbc54be02342dc1facb281059ac85d04d

  • SHA256

    8b3dcbc8862553bd18ae5f181f192bb76a5fe20dec5184383574a7e24701d8d8

  • SHA512

    daa12601f414d8f1d25d5ec32c9a3f4885a6aba35f60e72e6d414898e29ab6c378b175c3960261474641d6344475439dfc93e590274fc7fb79094ca093931a94

  • SSDEEP

    768:QbcXWHsPosaVp9Im/mwYljpGBQfANhIqnzK3edX7j8ASEz5pOgApo1n0aE1R74XL:QQ9kR

Score
10/10
sectopratcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Targets

    • Target

      wEotIbaw.ps1

    • Size

      14.7MB

    • MD5

      995596f28f9a7d8543795fa3783c5417

    • SHA1

      26bdb7edbc54be02342dc1facb281059ac85d04d

    • SHA256

      8b3dcbc8862553bd18ae5f181f192bb76a5fe20dec5184383574a7e24701d8d8

    • SHA512

      daa12601f414d8f1d25d5ec32c9a3f4885a6aba35f60e72e6d414898e29ab6c378b175c3960261474641d6344475439dfc93e590274fc7fb79094ca093931a94

    • SSDEEP

      768:QbcXWHsPosaVp9Im/mwYljpGBQfANhIqnzK3edX7j8ASEz5pOgApo1n0aE1R74XL:QQ9kR

    Score
    10/10
    sectopratcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Credential Access

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks