netsupport | 27b1a8906dcd0aeb0243387ef6a67d2bf7cf4718b601d4af7bf85d4acbbc72be | Triage

Sharing

General

Target

27b1a8906dcd0aeb0243387ef6a67d2bf7cf4718b601d4af7bf85d4acbbc72be.js
Size

56KB
Sample

240305-ckfwxscc23
MD5

fd867cffd82c6d258d8528263451b623
SHA1

13883561b5e85fb81f6b005c9f2770e5129abcc1
SHA256

27b1a8906dcd0aeb0243387ef6a67d2bf7cf4718b601d4af7bf85d4acbbc72be
SHA512

1e00ca36abf5bbee1ccd08c26b74b88819acbe64792abb34ce5d45183a7f67793fd2f17cf77bc981d82b6dae0f3f212139094c0ed760535d79a5f2d9ab75d6cf
SSDEEP

1536:j4F4gYZhtAcADh4P+F/ksRHkd5AdpXCau+DPGSvSu2qtAErLZ/95rbjd8if72A/m:SRYZYV4P+F/7BdpXCo4z

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://compactgrill.hu/care.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://whatisfurosemide.com/f877c2e5-2949-4498-af83-6a5c5jd37342a.txt

Targets

- Target
  
  27b1a8906dcd0aeb0243387ef6a67d2bf7cf4718b601d4af7bf85d4acbbc72be.js
- Size
  
  56KB
- MD5
  
  fd867cffd82c6d258d8528263451b623
- SHA1
  
  13883561b5e85fb81f6b005c9f2770e5129abcc1
- SHA256
  
  27b1a8906dcd0aeb0243387ef6a67d2bf7cf4718b601d4af7bf85d4acbbc72be
- SHA512
  
  1e00ca36abf5bbee1ccd08c26b74b88819acbe64792abb34ce5d45183a7f67793fd2f17cf77bc981d82b6dae0f3f212139094c0ed760535d79a5f2d9ab75d6cf
- SSDEEP
  
  1536:j4F4gYZhtAcADh4P+F/ksRHkd5AdpXCau+DPGSvSu2qtAErLZ/95rbjd8if72A/m:SRYZYV4P+F/7BdpXCo4z
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportpersistencerat