General
-
Target
doc4119744_1588316_67.js
-
Size
37KB
-
Sample
230515-mwnq1sac7w
-
MD5
bf648d756252749d8f028833be9b144b
-
SHA1
d283bda82300d0178a4061813d7bdacdbaa4fdb5
-
SHA256
07027d28b02d8ec7d093f85a48c18d5f96140eb4006a7071d47c4ffc01473d74
-
SHA512
4b7319f0de318db9f7b1add6993eca7eb00c368c806126552a2dc6e7da85f83d13077180177e5fc45df79056a2b143598a1c27cdce64660ed41ca353be2454f0
-
SSDEEP
384:jBYwyPluL9tGPaMw7cgqz2yIGGBAR4UgJjRiBek1/cPWF0mnUOzhYLZIOU7eQyfw:jBY2SMU4z7k11F/WyV/
Malware Config
Extracted
https://carpenteriemancini.com/f2.ps1
Extracted
https://kenmillsengineering.com/rockuo.php
Targets
-
-
Target
doc4119744_1588316_67.js
-
Size
37KB
-
MD5
bf648d756252749d8f028833be9b144b
-
SHA1
d283bda82300d0178a4061813d7bdacdbaa4fdb5
-
SHA256
07027d28b02d8ec7d093f85a48c18d5f96140eb4006a7071d47c4ffc01473d74
-
SHA512
4b7319f0de318db9f7b1add6993eca7eb00c368c806126552a2dc6e7da85f83d13077180177e5fc45df79056a2b143598a1c27cdce64660ed41ca353be2454f0
-
SSDEEP
384:jBYwyPluL9tGPaMw7cgqz2yIGGBAR4UgJjRiBek1/cPWF0mnUOzhYLZIOU7eQyfw:jBY2SMU4z7k11F/WyV/
Score10/10-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-