{
	"id": "100b4df4-03f9-4fed-bb77-a9040bf4543a",
	"created_at": "2026-04-06T00:07:06.611413Z",
	"updated_at": "2026-04-10T03:21:50.950727Z",
	"deleted_at": null,
	"sha1_hash": "2a866d9b2fc81c73cef720fe033d09ac54136c41",
	"title": "Deep Dive Into SectopRat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 926475,
	"plain_text": "Deep Dive Into SectopRat\r\nBy VX-HIVE\r\nPublished: 2021-01-23 · Archived: 2026-04-05 19:44:14 UTC\r\nHello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It\r\nwasn't so hard. Thanks for @Arkbird  and JAMESWT For Their Original Tweets. \r\nQuick Introduction:\r\nSectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam in November 15,2019 It has\r\ncapabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like\r\nChrome and Firefox, It Sends Stolen User Data in a Json File. \r\nIn Depth Reversing:\r\nSectop Weapozies WMI (Windows Management Instrumentation) in Order to Collect System Information.  \r\nHere it Gets OS Name and Version: \r\nSectop Has a Class named \"GetSystemInfo\" that Implements most of its System Profiling. \r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 1 of 8\n\nIt Collects: \r\n     . OS Name and Version \r\n     . Graphics Card Name and Vram Size \r\n     . CPU Version and Number Of Cores \r\n     . Physical Memory Size \r\n     . Mac Address \r\nOther Things It Collects Like Screen Resolution: \r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 2 of 8\n\nSectop Also Steals Browser History From Browsers like Chrome and FireFox. \r\nHere it Opens \"%LocalAppData%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" which Contains the\r\nwebsites u visited, usernames and emails u used while browsing these sites. \r\nHere They Learnt a Lesson From Their Past Sample They Actually Learnt How To Use Environment Variables xD\r\nSince in Earlier Samples The Browser Paths were Hardcoded in the Binary which actually limited this\r\nFunctionality. \r\nThey Used This Regex In Order to Filter and Get the Info They Need: \r\n(\"(http|ftp|https):\\\\/\\\\/([\\\\w\\\\-_]+(?:(?:\\\\.[\\\\w\\\\-_]+)+))([\\\\w\\\\-\\\\.,@?^=%\u0026amp;:/~\\\\+#]*[\\\\w\\\\-\\\\@?\r\n^=%\u0026amp;/~\\\\+#])?\")\r\nSectop Has a Function Called \"BrowserLogging\" Which Basically Sends To The C2 Server The Actions It Do On\r\nBrowsers \r\nExample Here It Starts Chrome using Command Line Parameters Shown And Then sends to Server That it gonna\r\nStart Google Chrome using cmd: \r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 3 of 8\n\nAs We Said it Also Steals Info from FireFox \r\nMozilla applications store a user's personal information in a unique profile. The first time you start any Mozilla\r\napplication, it will automatically create a default profile; additional profiles can be created using the Profile\r\nManager. The settings which form a profile are stored in files within a special folder on your computer — this is\r\nthe profile folder. The installation directory also includes a \"profile\" folder but this folder contains program\r\ndefaults, not your user profile data.\r\nSo It Bassicly Retrieves the content of this file and then send data to server saying that its fetching the user profile\r\n!.\r\nThe C2 Connection Is TCP/IP Connection \r\nIt Connects To IP 54.194.254.16 on Port 15647\r\nFor Encrypting The Sended Data It Uses AES \r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 4 of 8\n\nSectop C2 Commands Depends on Packet Types \r\nThese Packet Types Are Then Handled by Another Function \"HandlePackets\" \r\nSo Let's Go Step By Step :) \r\nStartStream = Creates a New Desktop Session with Name \"sdfsddfg\": \r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 5 of 8\n\nIt First Checks if its already Created So It Just Opens It Else It Creates It. \r\nAlso It Starts Chrome using cmd.exe /C start chrome.exe about:blank --new-window Creating New Window and\r\nStarts FireFox using /C start firefox.exe --new-window https://github.com \r\nI Don't Have Any Idea Why He Does That With FireFox this opens on the main page of github Fuck I got bored\r\nfrom this dumb code xD. \r\nStop Stream = Stops The Desktop Session \r\nDoMouseEvent = Emulates Mouse Presses \r\nDoKeyboardEvent = Emulates Keyboard Presses \r\nStartBrowser = Handled By InitBrowser Function It Takes in a Parameter and does a switch case on it: \r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 6 of 8\n\nSo Bassicly Here It Runs The Calls The Functions That Steal the Browser Data \r\nCase 4 it Starts Internet Explorer Its Hidden and Executed in the Desktop Session It Created \r\nDiskonect = Shuts Down The C2 Connection \r\nSetCodecInfo = He Forgetted Handling it  xD\r\nCaptureInit = Starts A Socket on Local Host on Port 80 (I Swear He is 12)\r\nSetPubIp = Changes C2 Server IP\r\nSectop Sends the Connection Type Info For The C2 as Json Typical Thing For Most RATs So It Can Be Viewed in\r\nthe Server GUI: \r\nBotName = UserName \r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 7 of 8\n\nBuildID = Its Set to \"Build 1\"\r\nBotOS = Operating System \r\nURLData = User Visited URLs \r\nUIP = Public IP Address \r\nIOC's:\r\nHashes:\r\nMD5: AC617590F4295B4E4808C488CD19E9F9\r\nSHA1: 03572EBD5C37D0839BE360B46FBEED26A4A5F78E\r\nSHA256: 0C2C45EE6F09774E00325A951F21DD4D515B0C62B63AC8FF1712E0DD2F73B262\r\nC2:\r\nOther:\r\nPDB Path: d:\\arechsoftret1\\hhfghg\\obj\\x86\\release\\hjghjg.pdb\r\nReferences: \r\nhttps://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers (Analysis for an old Sample) \r\nSource: https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nhttps://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html\r\nPage 8 of 8\n\n  https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html \nSectop C2 Commands Depends on Packet Types \nThese Packet Types Are Then Handled by Another Function \"HandlePackets\"\nSo Let's Go Step By Step :)  \nStartStream = Creates a New Desktop Session with Name \"sdfsddfg\":\n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html"
	],
	"report_names": [
		"deep-dive-into-sectoprat.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434026,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a866d9b2fc81c73cef720fe033d09ac54136c41.pdf",
		"text": "https://archive.orkl.eu/2a866d9b2fc81c73cef720fe033d09ac54136c41.txt",
		"img": "https://archive.orkl.eu/2a866d9b2fc81c73cef720fe033d09ac54136c41.jpg"
	}
}