Extracted

• • Target

    file.ps1

  • Size

    93B

  • MD5

    052dc13ffe85d1ed20df67cda93703b5

  • SHA1

    44f1abb169b923048c67cfe0c8e1e909aca77a08

  • SHA256

    224f43d5ef6e058aa2ff03c942adfb0936ecf28394a8d58ffaab724ebbd6d121

  • SHA512

    f3e257d967f3b636372d996902829fef01239635fa3c2e5afdce92947c814125c1997478a8cd20ae19f25219759ad917a2123e67821b6ec0a7cc7360434b18c7

  Score

  10^/10

  sectopratcredential_accessdiscoveryexecutionratspywarestealertrojan

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Sectoprat family

    sectoprat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral1