netsupport | 7e95b7ab72daae1e7aa956a9b6dd4851061f158bef76dbfcfdfca0d3a54753c7 | Triage

Sharing

General

Target

Update_browser_121.0.616.js
Size

141KB
Sample

240205-y1nglahddp
MD5

5d982e1674c91ad7b246bcd2e328f2ee
SHA1

5783631fd26905b4bdf5b1e1f5df40c003313140
SHA256

7e95b7ab72daae1e7aa956a9b6dd4851061f158bef76dbfcfdfca0d3a54753c7
SHA512

19680964f52e322e78c828c21a345997214289eb64a6af02b084e9d3c2b9be4a6561b31d67d410ada8e56d82b47942a7c1dfb53e3d4c5c0dff2c3f33d8a30e23
SSDEEP

1536:HOpyD12CUUtsOpyD12CUUtBsOpyD12CUUtS:HOpyDEXUtsOpyDEXUtWOpyDEXUtS

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ghostcitygames.com/data.php?5063

exe.dropper

https://ghostcitygames.com/data.php?5063

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ghostcitygames.com/data.php?14371

exe.dropper

https://ghostcitygames.com/data.php?14371

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ghostcitygames.com/data.php?7612

exe.dropper

https://ghostcitygames.com/data.php?7612

Targets

- Target
  
  Update_browser_121.0.616.js
- Size
  
  141KB
- MD5
  
  5d982e1674c91ad7b246bcd2e328f2ee
- SHA1
  
  5783631fd26905b4bdf5b1e1f5df40c003313140
- SHA256
  
  7e95b7ab72daae1e7aa956a9b6dd4851061f158bef76dbfcfdfca0d3a54753c7
- SHA512
  
  19680964f52e322e78c828c21a345997214289eb64a6af02b084e9d3c2b9be4a6561b31d67d410ada8e56d82b47942a7c1dfb53e3d4c5c0dff2c3f33d8a30e23
- SSDEEP
  
  1536:HOpyD12CUUtsOpyD12CUUtBsOpyD12CUUtS:HOpyDEXUtsOpyDEXUtWOpyDEXUtS
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportpersistencerat

behavioral2

netsupportpersistencerat

behavioral3

netsupportpersistencerat