netsupport | 3c80d5a47fbad45ffd405b5ab7b3dffbfd27d851d156799f397998a36822eb18 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

empl2530.zip
Size

13KB
Sample

230613-psby6agg3v
MD5

0bf92d29baf27bf1a8e3189edaa005be
SHA1

29a2a7573f3e985753b0f0305a91251e472b45dc
SHA256

3c80d5a47fbad45ffd405b5ab7b3dffbfd27d851d156799f397998a36822eb18
SHA512

f6a8e531a290e00703929c824a05e4730c3542e1839aad1c424b48f15491f256170b6d6836eca5902ec1b9faeab2ae63960bc3d3e43655e5a8c89849e450e841
SSDEEP

384:rpTVk9CrLGXEsg4vGEoKIkWCFW5elzvgklTp/umZ:N42qXpgQGEYkWLUzLld2mZ

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://navitainer.net/4th.zip

exe.dropper

http://YOUR.LINK/files/

Targets

- Target
  
  empl2530.js
- Size
  
  51KB
- MD5
  
  f0a018c1ef4ec29817788453a36a2ba9
- SHA1
  
  31f091037d7cf8675ce593864fda8d3a7c70258e
- SHA256
  
  0bdf78ab1e637ed039b10c63a1ecf30095acb9ed108726eb6010fe7471ff1ec4
- SHA512
  
  3985ac1c359e5483a2a75d9c59b15b4ce8d2ac76c002b83a0045719abbddaebe7ec9302f09c6bdda0c989a89cb1a5c57286d24c727abe41c47813d1ea4efb9f1
- SSDEEP
  
  1536:BsuYuVi2keOJee2NDIlUF0d9U77D6+T/I:euYuVLkeOJsk+F0d9mv6+T/I
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportpersistencerat