General
-
Target
GmRemote.7z
-
Size
3.2MB
-
Sample
250401-x54tpsvwbs
-
MD5
9c77429adda346dfedc408f35c1a65e6
-
SHA1
6039969eb0b07cbe9e50ff105bf803a9b59c79b0
-
SHA256
0c5359f0bf2662aec517a172d5aea118face4ea4313d23a91c9e8d4a0855f3ea
-
SHA512
4f86b89b294c823650cc3677a92f00ff4dfaff9f8f51a2445741e05a35e119b41bd20f2c6cc9292469de2594b6869c9682400a429e8af6524cfaec9fc6bc78ab
-
SSDEEP
98304:Ape2nYijFtmyleLCbmkM1v3Xk1FvxGYkOJTR6:cpnYijeyeuKkMlHk1FM46
Malware Config
Targets
-
-
Target
GmRemote.exe
-
Size
465.5MB
-
MD5
8a8dd3810500ea0c1192ad5545193355
-
SHA1
e0fd714e9f56d08318805fb3106a9a22baca8be7
-
SHA256
03666f205e2c97737a5a15f8aff965a7b3728d684927568583db28957efd6b3d
-
SHA512
05a882c14ae5723fcfe99379f662827d9897ef27689f82f02e323b1f9cb134ed27e0ac73faeab4c271dc9369376535e04f772edfbdb0f96d27b04e275977cafb
-
SSDEEP
98304:MtrXE3k1Mol2a/d3hZmSHJLJfERO4bMBX0VgKDrY7R:R3W/d3qmJNfEAAMBXl7
Score10/10-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2