General
-
Target
(Official Build)_Update - 104539.zip
-
Size
722KB
-
Sample
240322-r67dbscg95
-
MD5
b73c3914e85bf715860e116aaae7e0c2
-
SHA1
4562c2f65263c4e7735d8eadf8f3bec07828b896
-
SHA256
ae8c15b0801e5cacc19b586f1ba0df3b6121b7893cddb5dd44dc161c53e97a18
-
SHA512
8e1ce17126610962bedefd77fa6130732dc5f3fafb026aeb901834df671e51cdc7d71d294379a63aa62c55a5e8fe3bc9eaf37b4795a7fc58e423df98ab43c9f9
-
SSDEEP
12288:g969CmX8FMXrFgEvNJxwAGR//5y5ukzqhBI0jGP7lulDniFniFnh7VoDfwUmI5rW:g969j8FMXraE1zwAC/5ys1I0ylulDiF8
Malware Config
Extracted
https://edulokam.com/data.php?11090
https://edulokam.com/data.php?11090
Extracted
https://edulokam.com/data.php?7636
https://edulokam.com/data.php?7636
Targets
-
-
Target
Update_(Official Build)_121.0.616.js
-
Size
2.1MB
-
MD5
06d126c1c612fff5200d81d27a55146d
-
SHA1
855c4d47c573c62f73c339a9392fb22265c0a884
-
SHA256
6369daabaaddeae0814f8ad5a1a931d180a32d7ef9c5738215aead2f6a90849c
-
SHA512
f29999b32558e4b3689b2439521c0266aba92afa312e4f230b4b7a0932ddfcc0b8141a77d966734bd65dba5f38cb714cf814bf4e42491709a99716b005f6b0d7
-
SSDEEP
49152:blHeolHeolHeolHeolHeolHeolHeolHeolHeolHeolHeolHeTlHeolHeolHeolHJ:bhhhhhhhhhhhQhhhhhhhhhhhhhhhhhhd
Score10/10-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1