Overview

overview

10

Static

static

1

Setup/Upda...327.js

windows10-2004-x64

10

Setup/Upda...328.js

windows10-2004-x64

10

Setup/Upda...329.js

windows10-2004-x64

10

Setup/Upda...330.js

windows10-2004-x64

10

Update_bro...436.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Update - 1220231213.zip

  • Size

    325KB

  • Sample

    231213-1e5j4abac9

  • MD5

    e1df218c9cd50d0b6143f23820c73aac

  • SHA1

    6a974c7c91c675bc6ce0de44765c4f361d5c77e3

  • SHA256

    f69fc48e63d4a52deea5efe6e6e5f3d2dc1fd0494d7969d7a2f48639e0cea4ff

  • SHA512

    e6863ca390927db20a5553312ded662c4dfed2bc34fc5b9c89592ad3ad450f32faf2be68fabcd58ae1ac957a107a147819bd045c41c11fc33a5c113cbf46e576

  • SSDEEP

    6144:jKXE45oLTt6p7YKnE45oLTt6p73KMT22P7KXE45oLTt6p7nKcT22Px:2xs6p7Lhs6p7aeuxs6p7KOx

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://mindsnatchers.com/GetImageData.php?11840
exe.dropper

https://mindsnatchers.com/GetImageData.php?11840

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://mindsnatchers.com/GetImageData.php?11803
exe.dropper

https://mindsnatchers.com/GetImageData.php?11803

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://mindsnatchers.com/GetImageData.php?10972
exe.dropper

https://mindsnatchers.com/GetImageData.php?10972

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://mindsnatchers.com/GetImageData.php?14296
exe.dropper

https://mindsnatchers.com/GetImageData.php?14296

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://mindsnatchers.com/GetImageData.php?13604
exe.dropper

https://mindsnatchers.com/GetImageData.php?13604

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://mindsnatchers.com/GetImageData.php?10925
exe.dropper

https://mindsnatchers.com/GetImageData.php?10925

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://mindsnatchers.com/GetImageData.php?11080
exe.dropper

https://mindsnatchers.com/GetImageData.php?11080

Targets

    • Target

      Setup/Update_browser_17.645327.js

    • Size

      297KB

    • MD5

      c3ab9e5d0c4d46e2ca54bda2a0ec456a

    • SHA1

      63d74b8120c4f17310c7beb573189cb86b08ff0f

    • SHA256

      5fe31db39eaf0eb6b5e6711e3880b3a52113439f9571eed2d09d575d8f2a2b6a

    • SHA512

      15526ee69ae2b4f6370dbf3cdb3dd43beb49e789e74d461a53d1d400b7d0fe97ed5296dcfb2ae52ba0bd74b626f99581e4f61d59372d5f9457531ffe54b965c9

    • SSDEEP

      3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BCMOpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BmcJ6QhO1T7cZd6Bp

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      Setup/Update_browser_17.645328.js

    • Size

      297KB

    • MD5

      4fe2df26c9efcec0c90db7e890be6754

    • SHA1

      3edcb434a2aac42185777bf5b75f7527046a05ac

    • SHA256

      00cfc50dfea233fd224d28b46d6761ce2cbe744f04c950bf05791e9deb436958

    • SHA512

      9c0c1c5c5870539aadc102e42f7d82b894cdf8542b6263841bdfd251ce0db295009db57e65420f8d5b35ca1d1fa98bef0c2b9886f45c34808287f16c7fe792f2

    • SSDEEP

      3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BCqOpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BEcJ6QhO1T7cZd6Bp

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      Setup/Update_browser_17.645329.js

    • Size

      297KB

    • MD5

      21672be9e05cd64b67a78bf882b9faa2

    • SHA1

      9d511b85ee408e1bfc15856f4cd55a83ed748c6b

    • SHA256

      89d46c03b8da238b4bca7ad1d0673da49acb5b6bbdadb8f2467ab289c18d6b37

    • SHA512

      95d936119230e2523bea6c42f1309d12e2d11f4f1ed6dab816175038ad2d875a973c4d6edef6e08b4c4fb93c13cb8e9e8a95ddd032aef4db8f7ea12b8e0e4f21

    • SSDEEP

      3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BC/OpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BZcJ6QhO1T7cZd6Bp

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      Setup/Update_browser_17.645330.js

    • Size

      297KB

    • MD5

      c07b9f4286c498b1ad0128a1ce7d8296

    • SHA1

      56a74f9b9f737092c80d90d667ad2fdd2cbf6e98

    • SHA256

      e697a507229b457a3580674b104eb426c69aa77db3873fa593dbc6f5ff37cd05

    • SHA512

      f1b57f9a3538430e2342d9f6884214fa7dff0d03e2cd78375f0f1e92752ce06c5b4295998e888a4c45fef4df0e2ea1b320c98bbb41d9cd3f4085b65686b69611

    • SSDEEP

      3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BCaOpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6B0cJ6QhO1T7cZd6Bp

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      Update_browser_17.6436.js

    • Size

      297KB

    • MD5

      21672be9e05cd64b67a78bf882b9faa2

    • SHA1

      9d511b85ee408e1bfc15856f4cd55a83ed748c6b

    • SHA256

      89d46c03b8da238b4bca7ad1d0673da49acb5b6bbdadb8f2467ab289c18d6b37

    • SHA512

      95d936119230e2523bea6c42f1309d12e2d11f4f1ed6dab816175038ad2d875a973c4d6edef6e08b4c4fb93c13cb8e9e8a95ddd032aef4db8f7ea12b8e0e4f21

    • SSDEEP

      3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BC/OpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BZcJ6QhO1T7cZd6Bp

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5

MITRE ATT&CK Enterprise v15

Tasks