{
	"id": "28a8ccc9-5bf0-46d5-9f0f-78f931e8c09b",
	"created_at": "2026-04-06T00:17:39.565312Z",
	"updated_at": "2026-04-10T03:21:52.51655Z",
	"deleted_at": null,
	"sha1_hash": "82b356d46a731f95380ddea65a8571885e942fba",
	"title": "SecTopRAT: Updates and Encrypted C2 communications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98969,
	"plain_text": "SecTopRAT: Updates and Encrypted C2 communications\r\nBy Karsten Hahn\r\nPublished: 2021-09-03 · Archived: 2026-04-05 14:06:42 UTC\r\n02/17/2021\r\nSectopRAT: New version adds encrypted communication\r\nReading time: 5 min (1226 words)\r\nSectopRAT, also known as 1xxbot or Asatafar, had been an unknown, in-development threat when we discovered it\r\na year ago. Now it infects systems in Germany. What is the new version capable of?\r\nInfections and aliases\r\nNew appearances of SectopRAT infection attempts in our telemetry prompted me to investigate the threat that\r\nseemed in its infancy at the time of the first article. The malware has been refined and gotten more features since. To\r\nsum up the first article: SectopRAT uses a second, hidden desktop to allow remote control. Parts of it seem\r\nunfinished.\r\nWhile the previous article states that SectopRAT was first mentioned in 15. November 2019, I have now discovered\r\nthat earlier tweets by @nao_sec from March 2019 use a different name for the malware: ArechClient. Other aliases\r\nare 1xxbot, ArechSoft and Asatafar. Most names stem from the module name of the RAT or the PDB path. This\r\nname has changed in the course of development, likely to evade detection and identification. For the sake of\r\nconsistency and clarity I will stick with SectopRAT because the use of a second desktop seems to be the most\r\nnotable core-feature. Many antivirus naming policies also forbid using a name that the malware developer has\r\nchosen.\r\nThree packing layers\r\nThe analysed sample has three layers which need to be unpacked. The first one is obfuscated with SmartAssembly.\r\nThe method with token 0x060001C6 invokes a .NET injection library (see picture of the deobfuscated code below).\r\nhttps://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication\r\nPage 1 of 6\n\nThe injection library[2]\r\n has a configuration that allows multiple options, one of them being RunPE for native files.\r\nHowever, only a small portion is used which will decompress a file that is embedded as byte array and execute that.\r\nThe code in the screenshot below shows the method reposonsible for the decompression stub.\r\nThis decompressed file turns out to be another injection library[3]. At first glance the two libraries[2][3] look\r\ndifferent because they use a different obfuscation. But they are actually the same injection library. This does not\r\nmake sense from an attacker's perspective as adding more layers of the same provide ample opportunity to detect the\r\ncode of the packer stub, at least moreso than having just one. If one obfuscation evades the antivirus software, the\r\nother might not.\r\nThe decompressed library[3] is the last packed layer and finally performs injection of SectopRAT\r\n[4]\r\n into its own\r\nchild process via classic RunPE.\r\nConfiguration and encrypted CnC communication\r\nThe analyzed sample[1] saves configuration data as well as the IP of the server in a different class. The class that\r\ncontained the IP in previous versions now shows the localhost. This is most likely an attempt to evade automatic\r\nhttps://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication\r\nPage 2 of 6\n\nextraction of the command and control (CnC) server. If such extration tools are static, they might now yield\r\n127.0.0.1 which won't raise as much suspicion as a non-working IP extraction. Dynamic analysis of course still\r\nshows the actual IP.\r\nThe configuration has now additional entries, such as a build ID and an encryption key for the CnC communication.\r\nThe build ID shows \"Build 3\".\r\nThe CnC communication encryption key is saved in a 32 byte array named rawData. This key changes with\r\ndifferent build versions. The CnC communication data is encrypted and decrypted with AES256 using said key and\r\na randomly generated 16 byte intitialization vector (IV). This IV is prepended to the encrypted data before it is sent.\r\nNew commands\r\nBesides added encryption, the server also supports a number of new commands. These are triggered via a JSON\r\n(a data-interchange format) string that contains one of the following command strings.\r\nCommand string Descryption\r\nReceiveStopCapture Not implemented\r\nReceiveParticipantList\r\nUpdates the list of participants; the purpose is unclear, the list doesn't seem to be\r\nused for anything else\r\nReceiveBotURL Downloads a file from a given URL to %APPDATA%\\\u003crandomfilename\u003e.exe\r\nReceiveSessionID Sets the client's session ID\r\nReceiveTestTest Sends test JSON strings.\r\nReceiveCaptureRequest Not implemented\r\nReceiveSetColorDep Not implemented\r\nReceiveControlInt Not implemented\r\nReceiveSetApp Restarts the client\r\nReceiveServerAfkSystem Not implemented\r\nReceiveEncryptionStatus\r\nSets up encrypted communication to the server.\r\nIf the connection type is \"ElevatedClient\", it will use the client's session ID set via\r\nReceiveSessionID\r\nIf the connection type is \"Client\", it will use a session ID created via hashing\r\nsystem information of the infected system. The system info is comprised of\r\nprocessor, RAM and graphics card information.\r\nReceiveFullscreenRequest Not implemented\r\nhttps://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication\r\nPage 3 of 6\n\nMost of these command strings are not implemented yet. The ones that are there mainly support the CnC encryption.\r\nThe non-implemented strings paint a picture of planned updates to SectopRAT which may include screen capturing,\r\ncontrolling the screen resolution and fullscreen support. The purpose of the participant list as well as the\r\nReceiveControlInt command is not clear. ReceiveServerAfkSystem may be a notification that the user is \"away-from-keyboard\", which means the system is currently not used.\r\nOther changes\r\nSectopRAT has no code related to persistence anymore. This part was probably outsourced to the loader.\r\nYara hunt rule evasion\r\nIn my last article about SectopRAT I published a Yara rule that contained three method names, an enum, and the\r\nmodule name. All but one of the method and module strings have been renamed in the newest build:\r\nEnoughSpace -\u003e EnoghtSpace\r\nRemoteClient -\u003e rsddsrrg\r\nInitHDesktop -\u003e WaitReq\r\nThis might not be a coincidence. We know that malware developers read the news. This is why public Yara rules are\r\noften only suitable to collect past samples. I recommend malware hunters after publishing detection rules to have a\r\nsecond set of entirely different private rules for staying up-to-date on current samples.\r\nConclusion\r\nSectopRAT is actively used to infect systems which is evident by our telemetry as well as researchers like @nao_sec\r\nwho found the malware being distributed via RIG exploit kit. Stub methods in the code show which functionality is\r\nlikely planned to be added soon. That may include screen capturing, full screen support and screen resolution\r\nsettings.\r\nMalware naming is, once again, a difficult topic to navigate. Earlier mentions of the malware were unknown due to\r\nthe different naming by researchers. It often comes down to having a bit of luck and good contacts to other\r\nresearchers to see the connection. At the moment there is no other solution to that than documenting aliases in blogs\r\nand public resources.\r\nFact summary and IoCs\r\nAliases: 1xxbot, ArechClient, ArechSoft, Arech, AsataFar, AsataFarClient\r\nFirst known appearance: March 2019 https://twitter.com/nao_sec/status/1103474183676125185\r\nTCP IP and port: 54.194.254.16:15647\r\nBuild id: Build 3\r\nCompilation date: 2020-10-19 19:07:33\r\nCompiler: .NET Framework 4\r\nhttps://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication\r\nPage 4 of 6\n\nCurrent server IP saved in: %LOCALAPPDATA%\\Microsoft\\crds.rtt\r\nAES key for CnC communication: 64 6a 14 63 72 7f d8 7d c5 f5 30 46 8f 7f b0 59 28 85 67 d2 38 64 e 5e 8d 91\r\nd2 4b 45 d1 25 d5\r\n Description Module name SHA256\r\n[1]\r\nSectopRAT,\r\nanalysed\r\nsample,\r\npacked\r\nvideolan.exe df4f0960c97e2ad0697aacfd608ea2b66b732406dee28267e09234b3bad334a3\r\n[2] injection\r\nlibrary,\r\nunpacked\r\nfrom [1]\r\nKapsscmrduikk.dll df04b3b2ada5fd7856696f0c7c60146aff8bbd69598e591aa2d8261dd21ddb4a\r\n[3] injection\r\nlibrary,\r\nunpacked\r\nfrom [1]\r\nClassLibrary3.dll c77b8e0c86ae52d19d31d70bd7add6f85b3baee6f39250b06242344937bfa3df\r\n[4]\r\nSectopRAT,\r\nunpacked\r\npayload\r\nfrom [1]\r\nhjguh.exe 03fad40b096f42b90e30687dec1a8c085008399d8c0d3f45ffbf27828ac79e5e\r\nRelated articles:\r\nShare Article\r\n Content\r\nInfections and aliases\r\nThree packing layers\r\nConfiguration and encrypted CnC communication\r\nNew commands\r\nOther changes\r\nYara hunt rule evasion\r\nConclusion\r\nFact summary and IoCs\r\nhttps://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication\r\nPage 5 of 6\n\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication\r\nhttps://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication"
	],
	"report_names": [
		"36633-new-version-adds-encrypted-communication"
	],
	"threat_actors": [],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82b356d46a731f95380ddea65a8571885e942fba.pdf",
		"text": "https://archive.orkl.eu/82b356d46a731f95380ddea65a8571885e942fba.txt",
		"img": "https://archive.orkl.eu/82b356d46a731f95380ddea65a8571885e942fba.jpg"
	}
}