netsupport | 8598754b4df41f8cefcdb84722b0c7047c4a52cb28b78f4250d1c30737bb2f04 | Triage

Sharing

General

Target

40e8a80c7841a2bf3a629489409370d1.bin
Size

10KB
Sample

230513-bkyajafa38
MD5

f55eb59036ce11993f2b54fce6875a41
SHA1

083f23f3b29ad1ce7257f67240c4e02d1ba49696
SHA256

8598754b4df41f8cefcdb84722b0c7047c4a52cb28b78f4250d1c30737bb2f04
SHA512

c242dcfe4fc4768cfd0df2427056275200b8d8c6e3ec7c9c4ac444db6d78cfec17b0a9babaa80eb7f5e200942d47a765e23162bc999ccf07d780972523e4f551
SSDEEP

192:CTNuobDE2fn4i9jJKJFhboIibyIGl/XdNikX6TotmHWRgnfAVGOs4lHjzXyLl9L:BK4i9jgOyh/XukXWonMOdjWLlJ

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.193.43.96/upl.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://91.193.43.96/main.php

Targets

- Target
  
  Versandbestaetigung_155002_23098.js
- Size
  
  32KB
- MD5
  
  aacc50b6cb34a6464a811793fbbc9776
- SHA1
  
  5e4bc0f6dcbd8687fd54d7c75584fc784e44cf3d
- SHA256
  
  684bd7367b7f3365a7420b767632c453fa2ae68a937723cfc9b38a2381097ad6
- SHA512
  
  b33090526297166e73b28a41a5503cb2d98f6b1e601db27af21ed4069ce5629a5d59297699a0ed715d2e00360eb917bd831b98ae753596e6b30fc114d8f443fe
- SSDEEP
  
  384:pJ26gAE6CcsFVP8Nrpl3i+00+/hwaEV8dyXx9DCymMnOWesqoqAv4CCpuh6yEFUr:pJaWs0PFBVdXtriaCkeJ5LG7n5VVkm
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportpersistencerat