Overview

overview

10

Static

static

1

run.ps1

windows10-ltsc_2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    run.ps1

  • Size

    141B

  • Sample

    250326-rw6n2swzcs

  • MD5

    6fe6ee6a496894b815dd186af8babae5

  • SHA1

    513ccf808eeeadd1d3d2c177e74534badb86fcfe

  • SHA256

    b59c1eea07af1ef9c70705b34f09f3929b12c4df4e31597c0f62a8847157ed1f

  • SHA512

    11e8b51b7af82c2221a4a863abff54405781be1e4751a6b408f4dd88762a53273eb2b8e89ad611444c47d9c043224773be340561d780dd99ab74777c8256c795

Score
10/10
sectopratdiscoveryexecutionpersistencerattrojan

Malware Config

Targets

    • Target

      run.ps1

    • Size

      141B

    • MD5

      6fe6ee6a496894b815dd186af8babae5

    • SHA1

      513ccf808eeeadd1d3d2c177e74534badb86fcfe

    • SHA256

      b59c1eea07af1ef9c70705b34f09f3929b12c4df4e31597c0f62a8847157ed1f

    • SHA512

      11e8b51b7af82c2221a4a863abff54405781be1e4751a6b408f4dd88762a53273eb2b8e89ad611444c47d9c043224773be340561d780dd99ab74777c8256c795

    Score
    10/10
    sectopratdiscoveryexecutionpersistencerattrojan

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks