General

  • Target

    04037599.js

  • Size

    60KB

  • Sample

    230601-t4vmvsff7s

  • MD5

    be2084431124f972feebb754b22ae1d0

  • SHA1

    345b249939e65af27af345808eb0b659ec001d83

  • SHA256

    0b6acae5752405446505b8302434cc7f17af5801cb0d3f1455c9bf446009f650

  • SHA512

    9bbf7a858b7fa13c0298edc1cb4821897398fa8534358a04d1dd84872955392a11daceabc438997caa2de3cf2a0530c3bbf1cf95c9eebd2d2eac5850dc6b04cc

  • SSDEEP

    768:2QWZXjJuA5N5/UNXV6EclQWr0zda07eBAL+juQeFdg:IZCWmzYKl+jSg

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://mapla.com.mx/uploads/index.php

Targets

    • Target

      04037599.js

    • Size

      60KB

    • MD5

      be2084431124f972feebb754b22ae1d0

    • SHA1

      345b249939e65af27af345808eb0b659ec001d83

    • SHA256

      0b6acae5752405446505b8302434cc7f17af5801cb0d3f1455c9bf446009f650

    • SHA512

      9bbf7a858b7fa13c0298edc1cb4821897398fa8534358a04d1dd84872955392a11daceabc438997caa2de3cf2a0530c3bbf1cf95c9eebd2d2eac5850dc6b04cc

    • SSDEEP

      768:2QWZXjJuA5N5/UNXV6EclQWr0zda07eBAL+juQeFdg:IZCWmzYKl+jSg

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks