Overview

overview

10

Static

static

1

DE-29202920.js

windows7-x64

10

DE-29202920.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DE-29202920.zip

  • Size

    21KB

  • Sample

    240304-xdgvvsah72

  • MD5

    d6fb8c7469502264399ff7036f7bfece

  • SHA1

    3dac1c1c6508b7d36923bad8411716d3afc49680

  • SHA256

    fb569955a4518554000e5300ddc54d7878f4e85d74addfe4ee51bb861e34c299

  • SHA512

    c5a61e17e1bf3ca63d59dafc798543da47c941f13829976b2dd90e7c89cd5855a861c7511375f88d44c9eef5aedf081ab51cf1c631ea7f5cf92f95db507e14b3

  • SSDEEP

    384:IY1eKI23OKvD0OhGxHNOh/8aM+RjB+D3Y3CVUTci/z0rmbkkvM71luzoFc212E:IqFn7DGxHI/pBj0MS6rVAkvM71i7E

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://compactgrill.hu/care.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://whatisfurosemide.com/f877c2e5-2949-4498-af83-6a5c5jd37342a.txt

Targets

    • Target

      DE-29202920.js

    • Size

      55KB

    • MD5

      8c1a5db42e7151f6fc6c620a965aafa0

    • SHA1

      971130c6a951e64373c8dcbffaa8f4e31f786c6d

    • SHA256

      29753f0ec51bd0f7d69139ad2b359333c6d1aed2937a2e16982c1a2fee3bb97c

    • SHA512

      63a2bf1ae93cde80100ca1ebd6f9dec0742b82152591b9e30f44578f7064951f38b5649f9ffac58aaefe4ddfee94c2b8d39dbfdf2cf5f666cf2edf2920175175

    • SSDEEP

      1536:GeUup4MVH3rQgHZ87RQ5Xlt/xcvZ6P2E8ANJqO:Vbx885xlt/xcveZF

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks