netsupport | 9b77ce9fb306d0cefc655ac7344838ec9484100b5353d5d73ef005db46b53369 | Triage

Sharing

General

Target

Update_browser_17.6436.js
Size

296KB
Sample

231226-v529rsbgd7
MD5

6bc9eccb481ac65cac1938e7f9a2b7e6
SHA1

1a975ed336ed6ce8da390ea48163f5886726b628
SHA256

9b77ce9fb306d0cefc655ac7344838ec9484100b5353d5d73ef005db46b53369
SHA512

e147814426d81ab2f7c77daebbaef3c2110188142aa877b4e514c5cf9a0b870b28f9613ed0f259d81b15c2b650673e3961c71d58e956d1ecfd049bd979b2617b
SSDEEP

3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2B9OpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BYcJ6QhO1T7cZd6Bp

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://proximaideia.com/GetData.php?7576

exe.dropper

https://proximaideia.com/GetData.php?7576

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://proximaideia.com/GetData.php?9961

exe.dropper

https://proximaideia.com/GetData.php?9961

Targets

- Target
  
  Update_browser_17.6436.js
- Size
  
  296KB
- MD5
  
  6bc9eccb481ac65cac1938e7f9a2b7e6
- SHA1
  
  1a975ed336ed6ce8da390ea48163f5886726b628
- SHA256
  
  9b77ce9fb306d0cefc655ac7344838ec9484100b5353d5d73ef005db46b53369
- SHA512
  
  e147814426d81ab2f7c77daebbaef3c2110188142aa877b4e514c5cf9a0b870b28f9613ed0f259d81b15c2b650673e3961c71d58e956d1ecfd049bd979b2617b
- SSDEEP
  
  3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2B9OpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BYcJ6QhO1T7cZd6Bp
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportpersistencerat

behavioral2

netsupportpersistencerat