General

  • Target

    002776699.js

  • Size

    61KB

  • Sample

    230525-sve1dabe8x

  • MD5

    dbbdc92ca62d36dceef0883b2da867ed

  • SHA1

    5671539e582d08c0c589ba4ac1721af4ed6f71a4

  • SHA256

    3c502bb5021338ef3778c4dd6ca43f9afa1fbda25e0f13a5d956482eae80ac11

  • SHA512

    eec648e5c9218fe0b6faf9fa27c2b74ba95b1d4d2c0e91f70ed3b806ad37c566ea73dec2925c70be312d9cc867ea5cbaec2d0fe540693c69758f368fce7ed5a3

  • SSDEEP

    768:P+UeULOhtYgty9w9CHwYjQiJsnnlrD9a5Ybgu1zD+SpJGgflJcCB1vnJrm6YkFf5:/eUL2tVWWCv07nlPMSgSzyS9tJvM/2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://figocoin.it/auth.php

Targets

    • Target

      002776699.js

    • Size

      61KB

    • MD5

      dbbdc92ca62d36dceef0883b2da867ed

    • SHA1

      5671539e582d08c0c589ba4ac1721af4ed6f71a4

    • SHA256

      3c502bb5021338ef3778c4dd6ca43f9afa1fbda25e0f13a5d956482eae80ac11

    • SHA512

      eec648e5c9218fe0b6faf9fa27c2b74ba95b1d4d2c0e91f70ed3b806ad37c566ea73dec2925c70be312d9cc867ea5cbaec2d0fe540693c69758f368fce7ed5a3

    • SSDEEP

      768:P+UeULOhtYgty9w9CHwYjQiJsnnlrD9a5Ybgu1zD+SpJGgflJcCB1vnJrm6YkFf5:/eUL2tVWWCv07nlPMSgSzyS9tJvM/2

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks