General
-
Target
msi8.msi
-
Size
19.9MB
-
Sample
250407-pkth8syxhy
-
MD5
3101ecfa0802a37677592a003f4005b1
-
SHA1
cf611230456d70127f7541723af162c6a09d6549
-
SHA256
69a2b85495bbf5fe03c9fa86e6b7b931f52e986a0ad1885583a4486f2b6d39c3
-
SHA512
ea9d2b6f211d9e5811d57d1525252d437f0a3a3f81ce21750824ed53967d1f834b1e3908d761e371e3bf3f80d2e35dae362ba451d1bf843f57051b6870b68eb6
-
SSDEEP
196608:R8DQnkCru3ZBggTPCBAIk9a7911FuyuON7NKmiRT5kozS6A4d2mOmGhIXA:kYkCwz+BP9ZuyuOxNzOkos4zG2XA
Malware Config
Extracted
hijackloader
-
directory
%APPDATA%\QuickJava_wys_5
-
inject_dll
%windir%\SysWOW64\pla.dll
Targets
-
-
Target
msi8.msi
-
Size
19.9MB
-
MD5
3101ecfa0802a37677592a003f4005b1
-
SHA1
cf611230456d70127f7541723af162c6a09d6549
-
SHA256
69a2b85495bbf5fe03c9fa86e6b7b931f52e986a0ad1885583a4486f2b6d39c3
-
SHA512
ea9d2b6f211d9e5811d57d1525252d437f0a3a3f81ce21750824ed53967d1f834b1e3908d761e371e3bf3f80d2e35dae362ba451d1bf843f57051b6870b68eb6
-
SSDEEP
196608:R8DQnkCru3ZBggTPCBAIk9a7911FuyuON7NKmiRT5kozS6A4d2mOmGhIXA:kYkCwz+BP9ZuyuOxNzOkos4zG2XA
Score10/10-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Sectoprat family
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Modify Authentication Process
1Defense Evasion
Modify Authentication Process
1System Binary Proxy Execution
1Msiexec
1Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1