netsupport | f2b420f6222b61f6ebe76f82a5cde60d8abeb669a6865fceb9ebb8225cfb0b1f | Triage

Sharing

General

Target

doc674.js
Size

51KB
Sample

230614-l1mtvafg34
MD5

c5b3b22579773fea09e9b28a0c35acee
SHA1

e2576e3d51325b3ddfbfadf6e71844eb408de47d
SHA256

f2b420f6222b61f6ebe76f82a5cde60d8abeb669a6865fceb9ebb8225cfb0b1f
SHA512

c7713f804d608a7e2365b55d165c17e42e127e057d21cfe7cd5bedfb8b90980f7b0d7714e87fd74e3e60fc692a33c9c334f1b21e9fd424b9f1e2eccc8b968d98
SSDEEP

768:MvMFOYkBZTuKFKQRF6JNDJT0bSmO6AmXeZg6ig2WnMVVVPvYIoJsEmAxKMWuHoZl:McJTO2mXeZUVW2PAITzAxFWuI8OTN

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.snappyshop.it/img/index.php

Targets

- Target
  
  doc674.js
- Size
  
  51KB
- MD5
  
  c5b3b22579773fea09e9b28a0c35acee
- SHA1
  
  e2576e3d51325b3ddfbfadf6e71844eb408de47d
- SHA256
  
  f2b420f6222b61f6ebe76f82a5cde60d8abeb669a6865fceb9ebb8225cfb0b1f
- SHA512
  
  c7713f804d608a7e2365b55d165c17e42e127e057d21cfe7cd5bedfb8b90980f7b0d7714e87fd74e3e60fc692a33c9c334f1b21e9fd424b9f1e2eccc8b968d98
- SSDEEP
  
  768:MvMFOYkBZTuKFKQRF6JNDJT0bSmO6AmXeZg6ig2WnMVVVPvYIoJsEmAxKMWuHoZl:McJTO2mXeZUVW2PAITzAxFWuI8OTN
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportpersistencerat