MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ae3d6c2d476f44e6d2f6aca3c90684ac6debd7113863612abfc4220693b1d5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SectopRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ae3d6c2d476f44e6d2f6aca3c90684ac6debd7113863612abfc4220693b1d5a
SHA3-384 hash: 768caae24202cac089ba9ef39e9fd33ba64efa2a6b6f8b7daf3aeeda01edf64aebf615542cb5baaf7b30b40caec18a5a
SHA1 hash: 894e7fbcef6f1ce1bc3ec7d36091a0b78456b4ee
MD5 hash: 27254e1cd473bfc10e1145a44a475223
humanhash: william-juliet-ink-cardinal
File name:27254e1cd473bfc10e1145a44a475223
Download: download sample
Signature SectopRAT
Create hunting rule
File size:847'360 bytes
First seen:2021-11-28 11:10:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 24576:66ORXVfRjRrn/rwy5SW/0j/sMPLwCd63Q:qlfRjBn/kySfj/sMPLwn
TLSH T1E305121352D99236F0F6A3742DF913C32374BDE07F34E3AE024A68D958616E46A3572B
File icon (PE):PE icon
dhash icon 30688269b1b24410 (1 x SectopRAT)
Reporter zbetcheckin
Tags:32 exe SectopRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
27254e1cd473bfc10e1145a44a475223
Verdict:
Malicious activity
Analysis date:
2021-11-28 11:13:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9841eb36-6448-471b-996a-65455e6a8894

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38030323.18253.11722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a363c9bbfd2af97cb73b06/reports/7a0d2dc8-8ba8-4518-b8cf-26e24f7286a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SectopRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71f69d0b-9f44-468c-890d-863efe7904b9
Result
Threat name:
SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897350
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529828 Sample: pBsOD6Xkw3 Startdate: 28/11/2021 Architecture: WINDOWS Score: 100 71 45.67.229.71 ALEXHOSTMD Moldova Republic of 2->71 81 Found malware configuration 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected SectopRAT 2->85 87 3 other signatures 2->87 12 pBsOD6Xkw3.exe 1 5 2->12         started        14 ebFIIRvasb.exe.com 2->14         started        17 rundll32.exe 2->17         started        signatures3 process4 signatures5 19 cmd.exe 1 12->19         started        22 findstr.exe 1 12->22         started        101 Drops PE files with a suspicious file extension 14->101 24 ebFIIRvasb.exe.com 6 14->24         started        process6 dnsIp7 89 Obfuscated command line found 19->89 91 Drops PE files with a suspicious file extension 19->91 93 Uses ping.exe to check the status of other devices and networks 19->93 28 cmd.exe 3 19->28         started        32 conhost.exe 19->32         started        34 conhost.exe 22->34         started        73 MuuLGyulaNF.MuuLGyulaNF 24->73 63 C:\Windows\SysWOW64\...\ebFIIRvasb.exe.com, PE32 24->63 dropped 65 C:\Windows\SysWOW64\RegAsm.exe, PE32 24->65 dropped 36 schtasks.exe 1 24->36         started        file8 signatures9 process10 file11 67 C:\Users\user\AppData\Local\...behaviorgraphli.exe.com, PE32 28->67 dropped 99 Obfuscated command line found 28->99 38 Gli.exe.com 28->38         started        41 PING.EXE 1 28->41         started        44 findstr.exe 1 28->44         started        46 conhost.exe 36->46         started        signatures12 process13 dnsIp14 95 Drops PE files with a suspicious file extension 38->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 38->97 48 Gli.exe.com 6 38->48         started        75 192.168.2.1 unknown unknown 41->75 signatures15 process16 dnsIp17 69 MuuLGyulaNF.MuuLGyulaNF 48->69 59 C:\Users\user\AppData\...\ebFIIRvasb.exe.com, PE32 48->59 dropped 61 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 48->61 dropped 77 Writes to foreign memory regions 48->77 79 Injects a PE file into a foreign processes 48->79 53 schtasks.exe 1 48->53         started        55 RegAsm.exe 48->55         started        file18 signatures19 process20 process21 57 conhost.exe 53->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ae3d6c2d476f44e6d2f6aca3c90684ac6debd7113863612abfc4220693b1d5a/
Threat name:
Win32.Backdoor.Sabsik
Create hunting rule
Status:
Suspicious
First seen:
2021-11-28 11:11:12 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/211128-m99weahcbm/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
suricata: ET MALWARE Win32/1xxbot CnC Checkin
Unpacked files
SH256 hash:
23d6808890b25fbc6d3461fea2a408a7c85f7cd2cb274c62e5bf4cacf8f59c4d
MD5 hash:
6a9a7e75564f621f3589f19bea7733cc
SHA1 hash:
92e3e106d46c87e2f574ca5992db709cca441c38
Link:
https://www.unpac.me/results/474cca01-9a34-441b-9754-b7d06a450bcd/
SH256 hash:
1ae3d6c2d476f44e6d2f6aca3c90684ac6debd7113863612abfc4220693b1d5a
MD5 hash:
27254e1cd473bfc10e1145a44a475223
SHA1 hash:
894e7fbcef6f1ce1bc3ec7d36091a0b78456b4ee
Link:
https://www.unpac.me/results/474cca01-9a34-441b-9754-b7d06a450bcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ae3d6c2d476f44e6d2f6aca3c90684ac6debd7113863612abfc4220693b1d5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SectopRAT

Executable exe 1ae3d6c2d476f44e6d2f6aca3c90684ac6debd7113863612abfc4220693b1d5a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1828050/

Comments


Avatar
zbet commented on 2021-11-28 11:10:09 UTC

url : hxxp://212.193.30.29/USA/tEUntxU300us.exe