netsupport | 9969a0b62356c03aecf524ba69c136e675792b435eaf604c12dc5d36ed9c8aae | Triage

Submit
Reports

Overview

overview

Static

static

8

newf.dotm

windows7-x64

newf.dotm

windows10-2004-x64

Sharing

General

Target

newf.dotm
Size

17KB
Sample

230418-xak34sdd55
MD5

175722ba98f8f2715841c2c22026b7c8
SHA1

23aab879b915d58e4f8eb8d1399d33963ce2ecb4
SHA256

9969a0b62356c03aecf524ba69c136e675792b435eaf604c12dc5d36ed9c8aae
SHA512

e1be8ad4704ac71e2afc7d53f7273942f13446cbf31bbf40b2afc308209522298d32be3bfb3011dce224b39e335c77985c462aa7488280dc229299296cf6d425
SSDEEP

384:tmtriu1E3VPxAYwmhr9BiNiC78QyRC6hIm6akwLWdxdIZYB3S:q11gpxAYFhTiNV8QyRp2akw6LIOw

Score

10^/10

netsupport macro persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

newf.dotm

Resource

win7-20230220-en

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

newf.dotm

Resource

win10v2004-20230220-en

netsupport persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/foxxlrep/repo/downloads/zip.zip

Extracted

Language

ps1

Source

URLs

exe.dropper

https://gold-fish.top/glazgo.zip

Targets

- Target
  
  newf.dotm
- Size
  
  17KB
- MD5
  
  175722ba98f8f2715841c2c22026b7c8
- SHA1
  
  23aab879b915d58e4f8eb8d1399d33963ce2ecb4
- SHA256
  
  9969a0b62356c03aecf524ba69c136e675792b435eaf604c12dc5d36ed9c8aae
- SHA512
  
  e1be8ad4704ac71e2afc7d53f7273942f13446cbf31bbf40b2afc308209522298d32be3bfb3011dce224b39e335c77985c462aa7488280dc229299296cf6d425
- SSDEEP
  
  384:tmtriu1E3VPxAYwmhr9BiNiC78QyRC6hIm6akwLWdxdIZYB3S:q11gpxAYFhTiNV8QyRp2akw6LIOw
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

netsupportpersistencerat

© 2018-2024

Terms | Privacy