{
	"id": "a98db777-173e-485f-90b3-a5d6afcfd65d",
	"created_at": "2026-04-06T00:15:24.679138Z",
	"updated_at": "2026-04-10T03:24:16.813912Z",
	"deleted_at": null,
	"sha1_hash": "ee7d1f675c84ccfb9c01a6713d0958d44aa2ad94",
	"title": "A long way to SectopRat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3171257,
	"plain_text": "A long way to SectopRat\r\nBy Gi7w0rm\r\nPublished: 2023-02-05 · Archived: 2026-04-05 21:08:25 UTC\r\nInvestigating a highly obfuscated stealer sample\r\n11 min read\r\nJan 18, 2023\r\nHello there, welcome back to another block post. To my disappointment, it has been a while. Life can be very\r\nbusy. But I am happy to be back. This time, with a rather “small” story about a malware reverse engineering\r\nsafari, which started around 4 days ago and got so interesting, that I thought I should share it.\r\nIt all started back on Saturday, 14 January 2023 on Twitter, where I received a direct message from a fellow\r\nsecurity researcher grep_security.\r\nHe had seen my post about the Raccoonv2 C2 list which I had shared the day before and observed an IP in the list,\r\nwhich was right in the neighborhood of an IP he had observed for some time.\r\nFigure 1 - The message that got it all started\r\nCurious, I took a look at the IP he shared. The Url led to the following Directory Listing, which at the time of\r\nwriting is still up and running:\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 1 of 15\n\nPress enter or click to view image in full size\r\nFigure 2 — OpenDir with “log_data”\r\nWell, it was not Raccoon_v2. But I was immediately convinced it was something bad. I had seen such folders\r\nbefore with so-called stealer malware. The likes of Mars Stealer and AgentTesla are often found to have logs\r\nstored similarly. My interest was sparked and so I decided to take a deeper dig.\r\nFirst some reconnaissance about the IP:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 2 of 15\n\nFigure 3 — OTX results for IP\r\nAs you can see the IP in question seems to be from a hosting network in Kazakhstan. And if you look at the\r\ndomain associated, you will see there are quite a lot of words and patterns belonging to cryptocurrencies and the\r\ncrypto ökosystem. “.exchange” domains, “/airdrop/” as path names, “layer zero” and “network” in one domain,\r\netc. All with some sort of Typosquatting. This smelled phishy.\r\nAnd indeed, grep_security noticed that the whole /24 Subnet seems to be related to this kind of suspicious activity.\r\nBesides, there are several reported C2s for Infostealer malware in this Subnet. Among them RedLine, Raccoon,\r\nand others.\r\nBut neither RedLine nor Raccoon has the kind of OpenDir pattern we observed above. So let's find out if there is\r\nmalware related to our IP:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 3 of 15\n\nFigure 4 — VirusTotal result (3rd sample was uploaded after initial analysis)\r\nAs you can see, 2 samples were observed reaching out to this IP:\r\nSample1:\r\nhttps://www.virustotal.com/gui/file/88b426437c97301982bf096306af1bde70caa0a9a99a60514b31d0fa0ea64afd\r\nSample2:\r\nhttps://www.virustotal.com/gui/file/8a94861424eac30e36085d408100510a9af570f6dd61a4c633d7e918e4317548\r\nFor the remaining article, we will be looking at Sample 1.\r\nFirst thing I always do: Detonate it in Trai.ge!\r\nAs you can see, it lights up like a Christmas tree. A collection of interesting artifacts can be observed in the\r\nfollowing image. Note that the Pastebin link shows a single IP which is called via TCP after resolution. Also, note\r\nthe TCP Port 15647 and the “PowerShell get-process” calls for “avastui” and “avgui”. It will help to do attribution\r\nlater on.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 4 of 15\n\nFigure 6 — IoC Collection — Interesting artifacts marked in Red Circles\r\nAnother interesting thing is the legitimate jsc.exe which is part of the .Net Framework behaves very strangely\r\nhere, calling out to Pastebin, as well as to the 2 possible C2 Servers.\r\nAt this point, I decided to take a closer look at Sample 1. And before anything else, I uploaded it to unpac.me in\r\nthe hopes of some easy unpacking. And indeed, there were 3 samples unpacked:\r\nPress enter or click to view image in full size\r\nFigure 7 — 3 Binaries extracted from Sample1\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 5 of 15\n\nAs you can see, we are looking at 1 unknown PE file and 2 legitimate Microsoft-signed binaries. One is psapi.dll\r\nand the other cachmgr.exe\r\nSadly, my reversing capabilities do not include Assembly yet, so this is where I ran into a dilemma. I had no idea\r\nwhat the unknown binary was doing and therefore I was at a dead end.\r\nBut there was more to this attack. So I just jumped this step and decided to look at the next step. As you can see in\r\nFigure 6, after our malicious Sample gets executed, a folder named “SETUP_37419\" is created in the Users Temp\r\nfolder. From there, Engine.exe gets executed, and shortly after we see a command-line task started with “cmd.exe\r\n/c cmd \u003c 4”. Well, time to take a look at that folder and its contents:\r\nPress enter or click to view image in full size\r\nFigure 8 — Setup Folder Content\r\nThis is where things start to get more interesting because I can understand what I am seeing. 2 Images, 1\r\nExecutable, a .qsp file, and a Setup.txt file. At this time I didn’t know what a .qsp file is, so let's take a look at it\r\nwith a text editor:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 6 of 15\n\nFigure 9 — .qsp content\r\nThat's a lucky hit. What we can learn from here is that the file seems associated with QSetup. The qsp file contains\r\nall instructions needed so that Engine.exe knows what it should execute on the System. It's even mentioned on the\r\nbottom of their webpage as the software used to execute on the Customers device. Uploading Engine.exe to\r\nVirusTotal also further confirms this theory. Furthermore, we see that the Directory “Temp/5col3ccv. tda/” is\r\nreferenced. Also, a list of Items is given: “.\\45”,”.\\4”, and “.\\7”. This also explains what our cmd command means:\r\n“cmd /c cmd \u003c 4\" will probably execute whatever is contained in the file named 4.\r\nThe other 3 files, the 2 .bmp files, and the Setup.txt file are not very interesting. Both images are resources of the\r\ninstaller and the Setup.txt has the same content as the .qsp but in a different format.\r\nSo next, let's take a look at the folder mentioned in the .qsp file:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 7 of 15\n\nFigure 10–5col3ccv.tda Folder Content after Execution\r\nIf you are wondering where “.\\7\" is, we will get there. It gets changed during the Install process. But let's look at\r\n“./4” which is executed by cmd.\r\nUpon opening it, we are greeted by tons of gibberish:\r\nPress enter or click to view image in full size\r\nFigure 11 — Obfuscated CMD commands\r\nBut if you look at it closer you will notice that most of it is trash code, which is included to confuse and only some\r\nof the Lines contain valid code. Basically, a String replacement where Set \u003cvery_long_random_string\u003e = Char.\r\nAfter deobfuscating this, we get the following lines of cmd commands:\r\nPress enter or click to view image in full size\r\nFigure 12 — Deobfuscated CMD commands\r\nLet's try to understand the above script. The first thing that comes to the eye is the search for processes called\r\n“avastui” and “avgui” using the PowerShell get-process scriptlet. Both processes belong to the Avast AntiVirus\r\nSuite. If the Processes should be running, the script sets the Variable Champion.exe.pif to AutoIT3.exe, and the\r\nfile ending of the file named “S” to “S.a3x”. This already foreshadows the next stage of this attack. Then, the\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 8 of 15\n\nScript creates a randomly named directory (in Figure 10 you see it as 17473). It creates a file called\r\nChampion.exe.pif (Or AutoIt3, if Avast was found) in this random folder and pipes MZ into it. Then it searches a\r\ncertain String in the file named “45”. If we look at “45\" in a HexEditor, we see a bunch of binary data, where the\r\nstring that is searched via findstr is appended to the beginning. The flags /V and /R let findstr ignore the string and\r\npipe everything except it into the newly created file. Note the “\u003e\u003e” which will append the content rather than\r\noverwriting it. The outcome? A perfectly valid PE file, which after some investigation proves to be a legitimate\r\nAutoIT3 executable.\r\nThe script then moves the file “7” into the same random directory where the AutoIT3 executable called\r\nChampion.exe.pif is. Thereby it gets renamed to “S” or “S.a3x” depending on the AvastDetection. After that,\r\n“Champion.exe.pif” executes “S”. A ping to localhost is executed, probably to give the execution some time\r\nbefore the PowerShell script dies.\r\nGet Gi7w0rm’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSo our next goal is obvious: What exactly is “S” or “S.a3x”? And what does it do?\r\nWell, we know already it's probably an AutoIT Script. We also know there will be an execution of “jsc.exe” next.\r\nBut at the time I had no idea of the AutoIT file format. So after looking at the “S” file and realizing I could not\r\nread anything in it because of the obfuscation, I decided to call for help via Twitter:\r\nAt that time I thought I was facing a “.a3x” file, so I thought it had been compiled in some way. Even after\r\nlooking at “S” in a Text Editor, I had just understood gibberish and therefore I saw my fears come true. However,\r\nsome hours after this tweet I realized, that I was looking at a highly obfuscated “.au3\" file. Other than “.a3x”,\r\n“.au3” is not compiled but a readable script. Still, the obfuscation was so strong that I wasn’t mad when some\r\npeople started reacting to my post, telling me they would like to take a look at it.\r\nAt this point, I would like to give a huge thanks and shoutout to Hexacorn, _EthicalChaos_, _theVIVI,\r\nDidierStevens, richeyward, luc4m, and especially dr4k0nia (who solved the riddle), because all stepped\r\nforward voluntarily in the last days, to help with this ! I really appreciate seeing so many researchers\r\nwho are willing to help and I am honored to have such a nice community on Twitter!\r\nSo what did I look at? Here is a little extract.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 9 of 15\n\nFigure 13 — Obfuscated AutoIT Script\r\nThe script had 10255 lines in this style, the only thing sticking out was a blog of Hex data. It has to be noted that\r\nthe script had 0/64 detections at the time of submitting it to VT.\r\nI tried to extract the Hex Block and convert it to a binary, as this would be a common way of embedding a binary\r\ninto a script file. However, I had no success.\r\nLuckily, others had more luck:\r\nBoth dr4konia and _EthicalChaos_ came up with a decryption method working the same as the “DoctrineDrama”\r\nin Figure13 which spans through the whole script:\r\nFigure 14 — Decryption Funktion\r\nWith the help of this function, Hexacorn was able to produce the first script which was slightly less obfuscated.\r\nHowever, it was still full of string replacements, which made it nearly unreadable. If you want to look at this and\r\nwould like a little headstart, check out his version here. I uploaded it to Triage as means of a file transfer.\r\nAs you can see, the parts deobfuscated are function calls and imported libraries. This did give further proof of a\r\npossible process injection through Process Hollowing:\r\nAs initially expected, the AutoIT script injected some code into the legitimate “jsc.exe”. This code was then\r\nresponsible to conduct the malicious activity. Besides, the script was also responsible for the initial DNS Query\r\nthat was observed.\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 10 of 15\n\nPress enter or click to view image in full size\r\nFigure 15 — Weird Ping\r\nIt was probably implemented for execution control.\r\nSadly, the AutoIT script proved to be too bulletproof to fully reverse it. Until now, none of the researchers that\r\ntook a look at it were able to archive full deobfuscation. (Please notify me if you should manage to do it, and I will\r\ngladly add an Update to this post.)\r\nHowever, after a while, dr4k0nia was able to dump the final payload!\r\nI saw this as a big breakthrough, as we were able to dump the final stage of this attack, a .Net binary with the Sha-256 Hash: “a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910\"\r\nHowever, we soon learned that the binary was strongly obfuscated using flow-dependent mutations and flow-dependent variables which made the important parts nearly unreadable. However, upon opening the file in DNSpy,\r\nsome important functions could be recovered, which made it possible to determine the nature of the file:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 11 of 15\n\nFigure 16 — Stealer == True\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 12 of 15\n\nFrom the function names and some other artifacts, it's clear that we are looking at a Credential Stealer. It\r\nfingerprints the system and then steals as much sensitive data as possible. Just as we expected.\r\nWe also see the creation of a TCP Client, which is used for C2 Communication:\r\nPress enter or click to view image in full size\r\nFigure 17 — TCP Client\r\nA string dump was released by dr4konia. A slightly cleaned-up version by me can be found here. It further proves\r\nthe malicious nature of this binary.\r\nAs we can’t fully deobfuscate the binary, we can not fully prove what Stealer this is. However, based on several\r\nartifacts, I do believe we are dealing with a highly obfuscated Version of Arechclient2/Sectop_Rat.\r\nFirst, ArechClient2 Detections which are based on the TCP Connection Init by ArechClient2 did hit on VirusTotal.\r\nSecond, MalwareBazaar also identifies it as ArechClient2. Prior Analysis of this threat has shown very similar\r\nTTP: A connection via TCP/IP, a Connection to Port 15647, JSON-based communication, a connection attempt to\r\neth0[.]me, even the Strings observed in the string dump by dr4konia, all align with this threat.\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 13 of 15\n\nPress enter or click to view image in full size\r\nFigure 18 — Old analysis left, our analysis string dump right\r\nSo, the reversing is done, the Threat is identified, and we are done, right?\r\nWell, not fully, there is some more info I would like to add.\r\nFirst of all, my initial goal in this analysis besides the identification of the threat was to decrypt the log data\r\naccessible in the Open Directory mentioned in Figure 2. However, while dr4konia was able to uncover the AES\r\nKey used by our sample, it appears that the IV used is randomly generated and attached to the extracted data. This\r\nmakes decryption of the data impossible.\r\nSecondly, I initially thought this threat was shared via a crypto scam attack, based on the URLs associated with\r\nour initial IP address (77.73.133.81). However, after further research, I discovered that the Execution Parent of our\r\nSample is actually a file called “obs-installer-setupx64–29.685.zip”.\r\nThis shows that the sample is probably shared through one of the many Google Ads Campaigns which are\r\ncurrently ongoing, where threat actors register malicious websites, make them appear like official software pages,\r\nand then lure victims into downloading malicious software. These pages are often advertised through Google Ad\r\nCampaigns, allowing the Threat Actors to place their malicious sites right at the top of Google Searches for the\r\nSoftware Product in question. And these campaigns prove to be successful. The OpenDirectory with the alleged\r\nLogData contained 18.158 individual files, meaning this actor alone has likely hacked more than 18000 victims.\r\nIT Security Researcher Germán Fernández also noticed this connection and found 70 domains associated with this\r\nthreat.\r\nWell, I will leave it here for today. If you have read until here, I am glad you made it. I want to take this\r\nopportunity to thank grep_security for reaching out with his question. It was a nice hunt and I am happy we made\r\nit. Thanks again to all the people who helped during this investigation.\r\nIf you haven't, please follow my Twitter for more awesome IT-Security content. Also follow dr4k0nia,\r\ngrep_security, and all the others mentioned above, they deserve it :)\r\nFor a list of IoC, please see this file on Github.\r\nUntil next time!\r\nCheers\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 14 of 15\n\nUpdate (05.02.2023):\r\n@dr4k0nia followed up with her own blog on this topic.\r\nIf you want to get more insights on how to reverse the AutoIt Script and the final .Net payload, check out:\r\nhttps://dr4k0nia.github.io/posts/Analysing-a-sample-of-ArechClient2/.\r\nSource: https://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nhttps://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8\r\nPage 15 of 15\n\nthe hopes of some Press enter easy unpacking. or click to view And indeed, image in full there were 3 samples size unpacked:\nFigure 7- 3 Binaries extracted from Sample1 \n   Page 5 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8"
	],
	"report_names": [
		"a-long-way-to-sectoprat-eb2f0aad6ec8"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775791456,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee7d1f675c84ccfb9c01a6713d0958d44aa2ad94.pdf",
		"text": "https://archive.orkl.eu/ee7d1f675c84ccfb9c01a6713d0958d44aa2ad94.txt",
		"img": "https://archive.orkl.eu/ee7d1f675c84ccfb9c01a6713d0958d44aa2ad94.jpg"
	}
}