General

  • Target

    I_477747774777SH_4777.zip

  • Size

    27KB

  • Sample

    240303-lfmcksgh82

  • MD5

    19df1813ad5b2f54ab5c19b6e6c6308f

  • SHA1

    007bb6ebe29a21f9b6344cceea64f27aa6147dbf

  • SHA256

    fad46899d17fbd6a686f29d6721aeb449b524bcab309920ca4ad30b84ab6791a

  • SHA512

    caaaecf49a066a0928d823c792dde26a2a3db60284ad3568aa90b55de5cecc84100b4d395dae259de099b021384e2d8cd7f0b7f405db3daa4092ab16d6d5ef93

  • SSDEEP

    768:atsp6c+Sq6xw0RdtB1HYsyqEF2M19rR2hBmURaCBd1:ND+S7xtdFHYsXM1jQEURaCb1

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://hotelashrafee.com/rem.txt

Extracted

Language
ps1
Source
URLs
exe.dropper

http://leadingbyte.com/e6a85777-d353-412d-acaf-b017744de8b8c.txt

Targets

    • Target

      I_477747774777SH_4777.js

    • Size

      70KB

    • MD5

      6168817e7808252a0175bb21426295c1

    • SHA1

      180ac0aa18ceb1f2c06321fdd7be4bd80def175c

    • SHA256

      cee471e525e0017d7a241b90d685d24d2b66c2251fe9782a350c5f2a1d57c68e

    • SHA512

      42533021c2876e3dd07be3dce4fc1f6e9f9e6b846ce6682af1912b4c21a9e53d7904ea450e4acb641316f60a5173058332c94d1b4ff020c9dcbc6a122195c4dd

    • SSDEEP

      1536:fDPh1Obk522cWTaNmuCzfqupYqBECfWQCSeQzFMa1hUJ:fLh8U22cCamukiuGChfWQMQz/rUJ

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks