netsupport

General

Target

Update -1220231106.zip
Size

962KB
Sample

231106-vk31kace8t
MD5

b91f9bad347bbcaaf2ee27d9e2ad416e
SHA1

b03735a2d814fdb1013a70998b04c0e306e01815
SHA256

5185ce6d9b53b932ac20eff40592a75f1bd081a79f5b29afbfa22a5a5a32f485
SHA512

fea2f4c851bbdebcdd8962a0ecb4bfb2695fa340e0adb180482d88306845fba8d14aee04a1a1c1dad44c3a98c54d1ccb89c009930a2553677ec72c38123e2096
SSDEEP

24576:LIJIqD+Dd999gGvIJIqD+DRQSQMSQPGSIJIqD+Dd999gGwIJIqD+Dd999gG4IJI5:pDhaYDKDC

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://addisonlynch.com/111.php?5956

exe.dropper

https://addisonlynch.com/111.php?5956

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://addisonlynch.com/111.php?5721

exe.dropper

https://addisonlynch.com/111.php?5721

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://addisonlynch.com/111.php?6415

exe.dropper

https://addisonlynch.com/111.php?6415

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://addisonlynch.com/111.php?9348

exe.dropper

https://addisonlynch.com/111.php?9348

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://addisonlynch.com/111.php?13785

exe.dropper

https://addisonlynch.com/111.php?13785

Targets

- Target
  
  Setup/Update_browser_17.645327.js
- Size
  
  726KB
- MD5
  
  d2cd9e99660e1fff9cf9563cdcede422
- SHA1
  
  dbf6aa50ddddedde4e0e26f2ebce24253bda1cbe
- SHA256
  
  03d655f993a9ac6a5dfa30d82c633eb257981fb91fd123f021c712121178156d
- SHA512
  
  12e830e0ab6c0e07c5ab811a3f779f3228416c9ddccabedf216c85c9988c12763a24b459e3a5cebd72f41a994b98f0bb4f7131a646e6966eeae9d6e306f5eb91
- SSDEEP
  
  6144:JsBYMsBYMsBYMsBYMsBYMsBYXsBYMsBYMsBYMsBYMsBYMsBYMsBYMsBYm:JGGGGG5GGGGGGG0
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1
- Target
  
  Setup/Update_browser_17.645328.js
- Size
  
  726KB
- MD5
  
  69a1d7de741dd79441f391b846c626d7
- SHA1
  
  860db124f066582409a42c695b332980385a7984
- SHA256
  
  f8a0f6af272c5ff6d32d96430b9df40faac895693f62a679a2ec621ea1ca9c43
- SHA512
  
  dfd390c32909ea67328d6b39f36759d212acff82beab707bd878a40d7dd97b1383381558f9a40fdfc81af9eaf4215fef215ec6e5d6fa70786d3f2cc0e1eb7ca2
- SSDEEP
  
  6144:JsBYMsBYMsBYMsBYMsBYMsBYCsBYMsBYMsBYMsBYMsBYMsBYMsBYMsBYm:JGGGGGAGGGGGGG0
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral2
- Target
  
  Setup/Update_browser_17.645329.js
- Size
  
  726KB
- MD5
  
  69a1d7de741dd79441f391b846c626d7
- SHA1
  
  860db124f066582409a42c695b332980385a7984
- SHA256
  
  f8a0f6af272c5ff6d32d96430b9df40faac895693f62a679a2ec621ea1ca9c43
- SHA512
  
  dfd390c32909ea67328d6b39f36759d212acff82beab707bd878a40d7dd97b1383381558f9a40fdfc81af9eaf4215fef215ec6e5d6fa70786d3f2cc0e1eb7ca2
- SSDEEP
  
  6144:JsBYMsBYMsBYMsBYMsBYMsBYCsBYMsBYMsBYMsBYMsBYMsBYMsBYMsBYm:JGGGGGAGGGGGGG0
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral3
- Target
  
  Setup/Update_browser_17.645330.js
- Size
  
  726KB
- MD5
  
  2efac2d0fb5c73aba2828062637096e1
- SHA1
  
  9931246eb4fd43a0c1e9f0df096fb0891512dfd0
- SHA256
  
  febce0b1b4889ba6824cd2cf04f6b3394a4d83f5476f0ab98b72b4a8364ef245
- SHA512
  
  283a5c666b782920dae1be17e058901d160c65ae40baf3d9c140795e23b1ccef880f4e44e015c5990500701a33e7baf35eb0632923951132b509c8a2aa1619a9
- SSDEEP
  
  6144:JsBYMsBYMsBYMsBYMsBYMsBYFsBYMsBYMsBYMsBYMsBYMsBYMsBYMsBYm:JGGGGGrGGGGGGG0
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral4
- Target
  
  Update_browser_17.6436.js
- Size
  
  726KB
- MD5
  
  69a1d7de741dd79441f391b846c626d7
- SHA1
  
  860db124f066582409a42c695b332980385a7984
- SHA256
  
  f8a0f6af272c5ff6d32d96430b9df40faac895693f62a679a2ec621ea1ca9c43
- SHA512
  
  dfd390c32909ea67328d6b39f36759d212acff82beab707bd878a40d7dd97b1383381558f9a40fdfc81af9eaf4215fef215ec6e5d6fa70786d3f2cc0e1eb7ca2
- SSDEEP
  
  6144:JsBYMsBYMsBYMsBYMsBYMsBYCsBYMsBYMsBYMsBYMsBYMsBYMsBYMsBYm:JGGGGGAGGGGGGG0
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

NetSupport

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

NetSupport

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

NetSupport

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

NetSupport

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5