netsupport | e7c06a549443b1aea924e62326edeb1ac4ee80699f5bc23024b1207ed5bece39 | Triage

Resubmissions

24/01/2024, 05:16

240124-fx5btsbdhn 10

23/01/2024, 11:06

240123-m7vcyaadf4 10

Sharing

General

Target

EU6696.zip
Size

10KB
Sample

240123-m7vcyaadf4
MD5

09620e5df09ac74cdcb0cc1b41f0aef9
SHA1

648792110944802b59568fad1e7ecf97e3f774d6
SHA256

e7c06a549443b1aea924e62326edeb1ac4ee80699f5bc23024b1207ed5bece39
SHA512

7be5aefbae56f61b1a332753971c8f0d7b3c840ff0d2f4f1551f40161dd2bcad7d10c4d524d0b0bd3760a4a34c74908eb7f708b82fcfa8914fcb33753a84ec0b
SSDEEP

192:6+nApu0ZGKU5NBfSNDwyJ8pkWgE+Ksj3CnrZ/m4aCoo8cZ6bl7s1RLn:6+Ap2v5NJSNsyJTXE1s7qZm4awxsblQ7

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://hsdiagnostico.com/readme.php

Extracted

Language

ps1

Source

URLs

exe.dropper

https://core-click.net/TVFrontend/NSM.zip

exe.dropper

https://core-click.net/TVFrontend/remcmdstub.zip

exe.dropper

https://core-click.net/TVFrontend/DLAA1view.zip

exe.dropper

https://core-click.net/TVFrontend/mock/

Targets

- Target
  
  EU6696.js
- Size
  
  28KB
- MD5
  
  9139b9c125a6a7fc50a5ba03283a37c3
- SHA1
  
  57299b0ccb2df30a8a46ca74c81039bd9f70f4c6
- SHA256
  
  bf309c56f147c8f73024569246dc6d38f912c93e5a0cbe2c688115dc332c2182
- SHA512
  
  229a25e890ad0fcd80ab505f78712de711f5c54c7814261ce7833dab5caea90737fc5edaea32e8c4637386561b7cd15408e666fac6fec51da63d6b66fa927db0
- SSDEEP
  
  768:IP3NoKEb1WFmkEVbUvxaP0EbMVeukFA0QmHal12Kyax53oAatZunzBc8mQP/QJn3:ttsBc8mQP/kqa3oc
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportpersistencerat