Overview

overview

10

Static

static

1

c6a6520a8d...a98.js

windows7-x64

10

c6a6520a8d...a98.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e03e92ac8fb4660b37306d2e3054ff7b.bin

  • Size

    20KB

  • Sample

    240303-exs35acf8s

  • MD5

    c57ecf52d93358549c09e95a9b93cfbd

  • SHA1

    bcdefcdf4f306b9ca46345d509f61723a55601ca

  • SHA256

    05d7f4e148d4a7c92511ef6bb76bfe2d297d19aa04815f569510adc99b5ccfc4

  • SHA512

    c1cf072447e5f0e3fc8c5c7c75f20a7424705353100ebf051ee1bf163cde1b2c4fb4035729d0a4f3dce5f9d352043893c045a48333301780b2d8f1acee6f8932

  • SSDEEP

    384:phX5Fulk+cl7k0GwA5NZoqGn2DOk91IEUJSYRCkFF0XFvf:3Xbxt6la2DOk16QYRT0Xd

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://hotelashrafee.com/rem.txt

Extracted

Language
ps1
Source
URLs
exe.dropper

http://leadingbyte.com/e6a85777-d353-412d-acaf-b017744de8b8c.txt

Targets

    • Target

      c6a6520a8d9d4ada3c4c23ca97fe954be793f4eda9dc3b6e28d9588fa6051a98.js

    • Size

      53KB

    • MD5

      e03e92ac8fb4660b37306d2e3054ff7b

    • SHA1

      2e1d74fcceb08bac9f1498e99c5a2a3c30a93701

    • SHA256

      c6a6520a8d9d4ada3c4c23ca97fe954be793f4eda9dc3b6e28d9588fa6051a98

    • SHA512

      07d89001bff59317bd0121f37f77fde7a1ad0bb914e050f3212e7840cd75f6a2c1013b521322e3a5d1b73ae3218fc19fc455ea30140c1ee21c303df675b294b0

    • SSDEEP

      1536:Dy9WbpDiixx/hEn/+4wSlbl4scxwBJvO4TIWBC:DDBR/unwS5l4scqtPTLM

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks