General

  • Target

    08022024_2231_07022024_ARS4254253425425.zip

  • Size

    10KB

  • Sample

    240208-rvkp7aee7w

  • MD5

    e0746e290a9540934c606cb9f30c7505

  • SHA1

    ffbec43711270a63b10d8cab84dffa6e9fcc5f26

  • SHA256

    e114869d32aeda56a855e734631e32f5fbcca0682cea3f773f938518a754014a

  • SHA512

    9ff45f7b382a35714f395a83806566cb0c407ce6a5454846bb402e1ff2f57042548e4c2dd15ad0660c8976271e1ce6896db84cbfa2f92c9deefd634b270ef185

  • SSDEEP

    192:lUmY0tbJIH+iwJEPuJ6i6MVFejuYoA9OrGqF61Sz2CBbW8s5ybG4e7G6KK2:RY0tb+H0EW6RMRYMGDS9FU4sKK2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://assime.ca/command.php

Extracted

Language
ps1
Source
URLs
exe.dropper

http://sakaleralo.com/ccea268b-8716-46be-9148-3e614b38a0df.txt

Targets

    • Target

      ARS4254253425425.js

    • Size

      30KB

    • MD5

      b3f0d4ff6b231ceb9bcf39d6d773f995

    • SHA1

      1f2b2b1eb4ce6bf53d1c42bfe08c5e642b1acfbb

    • SHA256

      93d8e735e2028a6bb2191ae91273d9a6999058b74f78ac1523c93a575b795c25

    • SHA512

      08e7332453dbf2a62e19edbc1ea5be251356547f02ea5afe60780d9d5ae330e18cab3c49e5ab43aa5ce7277aac672f73788db0ee84053484b9cbfb83aed7cca7

    • SSDEEP

      768:ic78kofr9MzttQJklxbYPP9/r3e2wFoehDrMZmvkBKRdZXOLkr8R2Jx/gwwNEBce:iK4mRYPPtr3jh+x5Y6CJhU/0m

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks