Extracted

• • Target

    run.ps1

  • Size

    93B

  • MD5

    5ef8410849e348cb824b1fa99a1c7bc6

  • SHA1

    59300b5a7166c877155deb630794f1460d556610

  • SHA256

    7f0aef568240e46f36efd64beb9842e34e7dbb776044887584895177edc7db40

  • SHA512

    bfcf79032902536529482b537b9bcbbae5db72a3b4cdf4169d10c1da2490a66cf10421d9bfadf65fac5c48d07de7a38667db3a51186ad1c1bd21ad8fa581abab

  Score

  10^/10

  sectopratcredential_accessdiscoveryexecutionratspywarestealertrojan

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks for any installed AV software in registry

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral1