Overview

overview

10

Static

static

1

DE-29022902.js

windows7-x64

10

DE-29022902.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DE-29022902.zip

  • Size

    21KB

  • Sample

    240304-xdgvvsah69

  • MD5

    92b3af660c0b3d263735188f5ee0145f

  • SHA1

    3d3f2e7619d7bc923b34ed3896df802d79462b22

  • SHA256

    66887231135e3536a03a2d87a11359bd567929d593b1ae025e16ca971db63625

  • SHA512

    3ffe8f53d555762f238a22c5d0cce18fb6d7d78082848762ae8acb9cbebd0a9949b6870930fc1ee476f3cb499e040248fb67fb2f19c541a2368b76f257cd4eac

  • SSDEEP

    384:4KSMzHd8SPoo8dIe9/ve7Xfp6KWGjeGWktX8zQ+Z2IU8IIyxobGUriEQ4tRP:J9lLU3e7XfcvL2MzQpIo1ob5rBP

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://compactgrill.hu/care.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://whatisfurosemide.com/f877c2e5-2949-4498-af83-6a5c5jd37342a.txt

Targets

    • Target

      DE-29022902.js

    • Size

      55KB

    • MD5

      8d414a76cdc1f8ba750bd9d48196a50a

    • SHA1

      eff9b4008ec33858f7a337d79886780b07d732e3

    • SHA256

      d601e8785756e05dc7dd7223476a5b75fd0bc6c6dfb84cff7faf00d2608b5b01

    • SHA512

      e5e575f5dd6712491b848a172112aa6ba75603e65d7fd64236aa91a0a1b1ae2995513621cec92fa40eec8e04e32b8d6d050130526ca0194c2984bdfb3c6afeba

    • SSDEEP

      1536:VWpAfwGN0EeAQANwU4IvY8wlSc2YIFmusUICE6:VZYGEAQANzY8wlxH8E6

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks