netsupport | d029906a972b203a8dc3db0aaa84545dec8b408733380054eb526326617b2852

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 01:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tempy/client32.exe
Size

99KB
MD5

f70b67c2b3204b7ddd8b755799cccff0
SHA1

a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256

213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512

54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63
SSDEEP

384:qUjV5+6j6Qa86Fkv2Wr120hZIq6nYPL7NheMxnB1:qgVZl6FhWr80/h6EN/

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	448	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
448	client32.exe

C:\Users\Admin\AppData\Local\Temp\tempy\client32.exe
"C:\Users\Admin\AppData\Local\Temp\tempy\client32.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:448

Network

DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

240.81.21.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.81.21.72.in-addr.arpa

IN PTR

Response
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

geo.netsupportsoftware.com

client32.exe

Remote address:

8.8.8.8:53

Request

geo.netsupportsoftware.com

IN A

Response

geo.netsupportsoftware.com

IN CNAME

geography.netsupportsoftware.com

geography.netsupportsoftware.com

IN A

62.172.138.8

geography.netsupportsoftware.com

IN A

51.142.119.24

geography.netsupportsoftware.com

IN A

62.172.138.67
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

62.172.138.8:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 16 Jul 2023 01:28:26 GMT
Connection: close
Content-Length: 315
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

62.172.138.8:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 16 Jul 2023 01:28:26 GMT
Connection: close
Content-Length: 315
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

62.172.138.8:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 16 Jul 2023 01:28:26 GMT
Connection: close
Content-Length: 315
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

118.244.158.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.244.158.94.in-addr.arpa

IN PTR

Response

118.244.158.94.in-addr.arpa

IN PTR

94-158-244-118 mivocloudcom
DNS

8.138.172.62.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.138.172.62.in-addr.arpa

IN PTR

Response

8.138.172.62.in-addr.arpa

IN PTR

securenetsupportsoftwarecom
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

57.21.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.21.101.95.in-addr.arpa

IN PTR

Response

57.21.101.95.in-addr.arpa

IN PTR

a95-101-21-57deploystaticakamaitechnologiescom
DNS

86.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.8.109.52.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

209.80.50.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.80.50.20.in-addr.arpa

IN PTR

Response

94.158.244.118:1203

http

client32.exe

2.1kB
816 B
9
7
62.172.138.8:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

348 B
624 B
5
3

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404
62.172.138.8:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

348 B
624 B
5
3

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404
62.172.138.8:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

348 B
624 B
5
3

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404

8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

240.81.21.72.in-addr.arpa

dns

71 B
142 B
1
1

DNS Request

240.81.21.72.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

geo.netsupportsoftware.com

dns

client32.exe

72 B
144 B
1
1

DNS Request

geo.netsupportsoftware.com

DNS Response

62.172.138.8

51.142.119.24

62.172.138.67
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

118.244.158.94.in-addr.arpa

dns

73 B
115 B
1
1

DNS Request

118.244.158.94.in-addr.arpa
8.8.8.8:53

8.138.172.62.in-addr.arpa

dns

71 B
114 B
1
1

DNS Request

8.138.172.62.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

57.21.101.95.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

57.21.101.95.in-addr.arpa
8.8.8.8:53

86.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.8.109.52.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

209.80.50.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

209.80.50.20.in-addr.arpa

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.