MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88ea3cbc1800e407f1d73e89c4d68cce0be9999a26f9486badd1dbad6d2c1161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SectopRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88ea3cbc1800e407f1d73e89c4d68cce0be9999a26f9486badd1dbad6d2c1161
SHA3-384 hash: 27552897fb9384e727aca0b645fda0478ef8de2c72d0b3c0818b0156d1b56f973d581c40bf3360e929857906cef6d6d9
SHA1 hash: a91b32055f63bd49f3c29cd336f82f7d1927fb30
MD5 hash: e492ef9e7d6d861edf1504b28e27d2a1
humanhash: bluebird-september-butter-eight
File name:e492ef9e7d6d861edf1504b28e27d2a1
Download: download sample
Signature SectopRAT
Create hunting rule
File size:1'949'184 bytes
First seen:2023-06-01 07:35:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:+g2nR7I1MQGipB+Bf/WtkhUihPxob7U6a3jMCFi/PjKTlkCCajo0doGBr04KfJHl:sIWripUx6klaI6WieGFYLBj4JpL
Threatray 927 similar samples on MalwareBazaar
TLSH T1D595F1EB76886E61CB3C48B5C0A55D0497AC1DA742C0F6AC21F4BE9F24F772719A5C23
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e0dcdcccdcdcd8f8 (1 x Arechclient2, 1 x SectopRAT)
Reporter zbetcheckin
Tags:64 exe SectopRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394313/
Detection(s):
SecuriteInfo.com.Variant.Barys.432887.23815.28122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys evasive packed
Link:
https://www.filescan.io/uploads/64784a63c458e0a78423e36a/reports/b8d6c988-a634-49d9-b514-0384b7595595/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/88ea3cbc1800e407f1d73e89c4d68cce0be9999a26f9486badd1dbad6d2c1161
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59f2e73c-0dd7-4a8d-bb6b-8b14064a2c85
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246624
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected SectopRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88ea3cbc1800e407f1d73e89c4d68cce0be9999a26f9486badd1dbad6d2c1161/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 00:52:54 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
15
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdvdzpayadsap4oxh2e4jvumzyf6tgm2e34uq25n2hn223jmcfqq._file
Verdict:
malicious
Similar samples:
0a3b25e9d43dce5c47a29c74576ed3c5dde16c1de2004828d73f199d65fa315a
SectopRAT
171c875a544e96c823170d1df870587300965ee069bc7dc35845b1bfccf17465
SectopRAT
4458a1f6050e6dda81597624cd2464ec0ee79d1021384420d9f0462695d2f8dc
SectopRAT
979633ef5386a4386d862a8643210676ec89394021b2513a69e5588ff5b49453
SectopRAT
c27d7174b52a423cdd51187de5c53bd0f3dfebbc76f92575864f3ba4abf2f012
SectopRAT
cd4dec1e65906cf775da7ec8cf30205a37275502bdcf6980e8dfc331b105e690
SectopRAT
+ 917 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat rat trojan
Link:
https://tria.ge/reports/230601-je84vadb46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
SectopRAT
SectopRAT payload
Unpacked files
SH256 hash:
88ea3cbc1800e407f1d73e89c4d68cce0be9999a26f9486badd1dbad6d2c1161
MD5 hash:
e492ef9e7d6d861edf1504b28e27d2a1
SHA1 hash:
a91b32055f63bd49f3c29cd336f82f7d1927fb30
Link:
https://www.unpac.me/results/0aef8c66-91d7-4b34-99f5-a392080ced0a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88ea3cbc1800/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88ea3cbc1800e407f1d73e89c4d68cce0be9999a26f9486badd1dbad6d2c1161

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SectopRAT

Executable exe 88ea3cbc1800e407f1d73e89c4d68cce0be9999a26f9486badd1dbad6d2c1161

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2648578/
Cape
Cape
https://www.capesandbox.com/analysis/394313/

Comments


Avatar
zbet commented on 2023-06-01 07:35:20 UTC

url : hxxp://162.55.212.236/dbupdater.exe