netsupport | d720c060a4057004961c8af319f08d30b286cd3639d0fc0429c26c3d7319991a | Triage

Sharing

General

Target

fl180.js
Size

45KB
Sample

230708-kdkkjaeb3x
MD5

de3d0a48c7a6b6552922f4e88c55bf83
SHA1

2647c35cd861b225df8a6b34cb33724fce914a03
SHA256

d720c060a4057004961c8af319f08d30b286cd3639d0fc0429c26c3d7319991a
SHA512

1edb43bfdc0d682343994169c762465080c700dfa78d581ba864755c884eb9002112b25e906033c9e5b2d7194dfa53e22457cc6047c390a0cc03db68ec50b928
SSDEEP

768:JxyIPOhAwthDONQD2jjAHYH3GQuhKYNfHavg90dSDorycM8L:Jx0AwTDOC2j8W3GQuhKYNf6vgydko2cB

Score

10^/10

netsupport rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://turvavalaisin.fi/loco.zip

exe.dropper

https://turvavalaisin.fi/files/

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://turvavalaisin.fi/loco.zip

exe.dropper

https://turvavalaisin.fi/files/

Targets

- Target
  
  fl180.js
- Size
  
  45KB
- MD5
  
  de3d0a48c7a6b6552922f4e88c55bf83
- SHA1
  
  2647c35cd861b225df8a6b34cb33724fce914a03
- SHA256
  
  d720c060a4057004961c8af319f08d30b286cd3639d0fc0429c26c3d7319991a
- SHA512
  
  1edb43bfdc0d682343994169c762465080c700dfa78d581ba864755c884eb9002112b25e906033c9e5b2d7194dfa53e22457cc6047c390a0cc03db68ec50b928
- SSDEEP
  
  768:JxyIPOhAwthDONQD2jjAHYH3GQuhKYNfHavg90dSDorycM8L:Jx0AwTDOC2j8W3GQuhKYNf6vgydko2cB
Score

10^/10

netsupport rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

Privilege Escalation

Defense Evasion

BITS Jobs

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2