General

  • Target

    e66f1675c6e60c7cb7d10290618c7b86269e6efa016c08ad5af9f12d16c925ef.js

  • Size

    62KB

  • Sample

    240303-rwh8racf58

  • MD5

    a05a8f4ff99e94ac57915c30a5db972c

  • SHA1

    99d07b915836f066d2ef20314e06ecbdb7a26e00

  • SHA256

    e66f1675c6e60c7cb7d10290618c7b86269e6efa016c08ad5af9f12d16c925ef

  • SHA512

    8ec4798f140452cbb05455784bb0d9f75504fc7592525c253048aa2834ce944f95057757eced1ddb8f9ae76bdfc42dea3e702d58f8ac985313dbe6a227508c46

  • SSDEEP

    1536:sARo4GPF1DsucfnjaW7hcoQUoSFgs8FHTxXzr/G:sA6DPF1IueneW7htoSFgPZp3/G

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://hotelashrafee.com/rem.txt

Extracted

Language
ps1
Source
URLs
exe.dropper

http://leadingbyte.com/e6a85777-d353-412d-acaf-b017744de8b8c.txt

Targets

    • Target

      e66f1675c6e60c7cb7d10290618c7b86269e6efa016c08ad5af9f12d16c925ef.js

    • Size

      62KB

    • MD5

      a05a8f4ff99e94ac57915c30a5db972c

    • SHA1

      99d07b915836f066d2ef20314e06ecbdb7a26e00

    • SHA256

      e66f1675c6e60c7cb7d10290618c7b86269e6efa016c08ad5af9f12d16c925ef

    • SHA512

      8ec4798f140452cbb05455784bb0d9f75504fc7592525c253048aa2834ce944f95057757eced1ddb8f9ae76bdfc42dea3e702d58f8ac985313dbe6a227508c46

    • SSDEEP

      1536:sARo4GPF1DsucfnjaW7hcoQUoSFgs8FHTxXzr/G:sA6DPF1IueneW7htoSFgPZp3/G

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks