netsupport | e811cea654c10c0efe2618bf9d20e60c15497e8207cf5d8096aa75bab1e28573 | Triage

Submit
Reports

Overview

overview

Static

static

msys2-x86_...28.exe

windows7-x64

msys2-x86_...28.exe

windows10-2004-x64

Sharing

General

Target

tmpl0gf25c6.zip
Size

8.1MB
Sample

230130-w913yabf22
MD5

d642cdf6d6f6820b03ee08b0b11d2c8e
SHA1

85eb89e56d2264ec4bd01ec5f61e7d67c1c9f5cb
SHA256

e811cea654c10c0efe2618bf9d20e60c15497e8207cf5d8096aa75bab1e28573
SHA512

ef1d4ebb74ac7c03580690d630da608ad787665357292eaf313c529af1603aba1ff7f25ec910129822aa2f14a78b56963f2ec4b1c779a9d9d5a3096f9541a884
SSDEEP

196608:iD0D2MJ66Re4t+Es7Mbzp56t70VL6NowqPIARIDIgn7jz:iD0z66Re4t+x7MHpfaqPLa73

Score

10^/10

netsupport purecrypter downloader loader persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

msys2-x86_64-20221028.exe

Resource

win7-20221111-en

purecrypter downloader loader persistence

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

msys2-x86_64-20221028.exe

Resource

win10v2004-20220812-en

netsupport purecrypter downloader loader persistence rat upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

purecrypter

C2

https://centredesoinsanj.test-sites.fr/wp-admin/images/css/hills/bo/Zbstsgyoyuo.bmp

Targets

- Target
  
  msys2-x86_64-20221028.exe
- Size
  
  677.7MB
- MD5
  
  29eca627d9b7570ec48495e4af0f9423
- SHA1
  
  18c8d00ba107908f344a34b39169d09db04aea7a
- SHA256
  
  38f419b6ea086c7b10616650ab4892512c54612ef76313fb3b4603b6b1c5413c
- SHA512
  
  7a89e39ee2b391d80dd0a9892b54f7eaf1454818fc1813c71beae7e7d8736462ee98c84c03c2a669b1a3aa29c7600a581232e659412ebf63ba560b2d1a1b0845
- SSDEEP
  
  3072:2ahKyd2n31f5pQMCLMe4c6l19ipQ9pCFVkAKnKV0lXxii:2ahO6Vd2Xiy9pOdOx
Score

10^/10

purecrypter downloader loader persistence netsupport rat upx
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

purecrypterdownloaderloaderpersistence

behavioral2

netsupportpurecrypterdownloaderloaderpersistenceratupx

© 2018-2024

Terms | Privacy