General
-
Target
YTOEOXNI.msi
-
Size
11.5MB
-
Sample
250407-pje98ayxet
-
MD5
9248af81884e42bbe88c68301645ed71
-
SHA1
befa771be695135a36f0b01baeddf93d90b001a6
-
SHA256
4b580fb4ad57c5fc8820fc8b03f10c23e6760e5ae82bfad1e74837eb4cfc1b14
-
SHA512
0074593384cafe4759d17f0609672055bf9250ab934f865bdcb1f314480d5b496c805077b2a4827722aa702c7e9064ae2d4093ad015abb8206a26cdf6af609f2
-
SSDEEP
196608:XSvUddiGELiFTAVGahnhyk8N0FFLOnoksRzYlmKEomfEDS6l4crtNXX6i4p9:KUddFo9VGafSaFFL5ch4Drp9
Malware Config
Extracted
hijackloader
-
directory
%APPDATA%\backupscan
-
inject_dll
%windir%\SysWOW64\pla.dll
Targets
-
-
Target
YTOEOXNI.msi
-
Size
11.5MB
-
MD5
9248af81884e42bbe88c68301645ed71
-
SHA1
befa771be695135a36f0b01baeddf93d90b001a6
-
SHA256
4b580fb4ad57c5fc8820fc8b03f10c23e6760e5ae82bfad1e74837eb4cfc1b14
-
SHA512
0074593384cafe4759d17f0609672055bf9250ab934f865bdcb1f314480d5b496c805077b2a4827722aa702c7e9064ae2d4093ad015abb8206a26cdf6af609f2
-
SSDEEP
196608:XSvUddiGELiFTAVGahnhyk8N0FFLOnoksRzYlmKEomfEDS6l4crtNXX6i4p9:KUddFo9VGafSaFFL5ch4Drp9
Score10/10-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Modify Authentication Process
1Defense Evasion
Modify Authentication Process
1System Binary Proxy Execution
1Msiexec
1Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1