netsupport | hxxp://adclick[.]g[.]doubleclick[.]net/aclk?sa=L&ai=BqJtdBWxAU4nHJ4ip-wbk_4GICtyYktUEAAAAEAEgjKnsHTgAWLSxtaqWAWCZhoCA9CGyARZndW5kZW0ubWlsbGl5ZXQuY29tLnRyugEJZ2ZwX2ltYWdlyAEJ2gFYaHR0cDovL2d1bmRlbS5taWxsaXlldC5jb20udHIvMy1rb3BydS12aXlhZHVndW5kZS1nb2N1ay9ndW5kZW0vZGV0YXkvMTg2MjcyOC9kZWZhdWx0Lmh0bakCtlPlsBi_nz7AAgLgAgDqAjMvMTI4MDcwNjYwL01pbGxpeWV0X0d1bmRlbS9NaWxsaXlldF9HdW5kZW1fcGFnZXNraW74AvTRHoADAZADhAeYA4QHqAMB4AQBoAYf&num=0&sig=AOD64_1_qXBCwExb-oj6QlJ28w160fH3jQ&client=ca-pub-5526484441315121&adurl=%2F%2F%2Fgg[.]gg%2Fcarzzz%23mWXikzW | Triage

Sharing

General

Target

http://adclick.g.doubleclick.net/aclk?sa=L&ai=BqJtdBWxAU4nHJ4ip-wbk_4GICtyYktUEAAAAEAEgjKnsHTgAWLSxtaqWAWCZhoCA9CGyARZndW5kZW0ubWlsbGl5ZXQuY29tLnRyugEJZ2ZwX2ltYWdlyAEJ2gFYaHR0cDovL2d1bmRlbS5taWxsaXlldC5jb20udHIvMy1rb3BydS12aXlhZHVndW5kZS1nb2N1ay9ndW5kZW0vZGV0YXkvMTg2MjcyOC9kZWZhdWx0Lmh0bakCtlPlsBi_nz7AAgLgAgDqAjMvMTI4MDcwNjYwL01pbGxpeWV0X0d1bmRlbS9NaWxsaXlldF9HdW5kZW1fcGFnZXNraW74AvTRHoADAZADhAeYA4QHqAMB4AQBoAYf&num=0&sig=AOD64_1_qXBCwExb-oj6QlJ28w160fH3jQ&client=ca-pub-5526484441315121&adurl=%2F%2F%2Fgg.gg%2Fcarzzz%23mWXikzW
Sample

240123-sc399abdbm

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://boxtechcompany.com/1/GetData.php?11099

exe.dropper

https://boxtechcompany.com/1/GetData.php?11099

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://boxtechcompany.com/1/GetData.php?6833

exe.dropper

https://boxtechcompany.com/1/GetData.php?6833

Targets

- Target
  
  http://adclick.g.doubleclick.net/aclk?sa=L&ai=BqJtdBWxAU4nHJ4ip-wbk_4GICtyYktUEAAAAEAEgjKnsHTgAWLSxtaqWAWCZhoCA9CGyARZndW5kZW0ubWlsbGl5ZXQuY29tLnRyugEJZ2ZwX2ltYWdlyAEJ2gFYaHR0cDovL2d1bmRlbS5taWxsaXlldC5jb20udHIvMy1rb3BydS12aXlhZHVndW5kZS1nb2N1ay9ndW5kZW0vZGV0YXkvMTg2MjcyOC9kZWZhdWx0Lmh0bakCtlPlsBi_nz7AAgLgAgDqAjMvMTI4MDcwNjYwL01pbGxpeWV0X0d1bmRlbS9NaWxsaXlldF9HdW5kZW1fcGFnZXNraW74AvTRHoADAZADhAeYA4QHqAMB4AQBoAYf&num=0&sig=AOD64_1_qXBCwExb-oj6QlJ28w160fH3jQ&client=ca-pub-5526484441315121&adurl=%2F%2F%2Fgg.gg%2Fcarzzz%23mWXikzW
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

netsupportpersistencerat