Overview

overview

10

Static

static

1

Install/Up...161.js

windows10-2004-x64

1

Install/Up...161.js

windows11-21h2-x64

1

Update_121.0.616.js

windows10-2004-x64

10

Update_121.0.616.js

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Update - 130007.zip

  • Size

    721KB

  • Sample

    240322-v621dsec62

  • MD5

    15a4183472b984d1c8d3562889f62631

  • SHA1

    1ddefb9d81e8d51482dd4201aeaa6845a3814230

  • SHA256

    a2acfa2a3c60f90e0f9b1522b2abbdc4542aedfe41e74bd9ae273f272fa9b066

  • SHA512

    5ebe826242f4060f92f721830d93291a5f36914b5444f56c8fabdd99eae92c72e7e9df256735d4e9a4b7152bd49b832bfb8f47d361a23d678a7a24f62557cdb9

  • SSDEEP

    12288:x969CmX8FMXrFgEvNJxwAGR//5y5ukzqhBI0jGP7lulDniFniFnh7VoDfwUmI5rk:x969j8FMXraE1zwAC/5ys1I0ylulDiFq

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://edulokam.com/data.php?11245
exe.dropper

https://edulokam.com/data.php?11245

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://edulokam.com/data.php?7125
exe.dropper

https://edulokam.com/data.php?7125

Targets

    • Target

      Install/Update_121.0.6161.js

    • Size

      33KB

    • MD5

      f736b65c14b584e70afc8f6a4adbb34d

    • SHA1

      44870d49a995241d8cd18769968b435e098189e7

    • SHA256

      28edbc9dd4c1ccc183e38ca2362e24c2b29b2575b006a1afd2110e5575f2b58e

    • SHA512

      6b279d67863e63b5e7c9b5d6de7536ece183fb1e7f482a9e6a4147893c6329f71b8e8cc1fe84a9b83a0392b8e5292b87bf8a3998ed63db12624f09a171d12351

    • SSDEEP

      768:qLMI3IRCElj+12oqpbGQMKZTqn981t8k9HA9TRgeBnNlBcfZP2fZtYCH2U8YSmR:+MI3jElC2oBQMGmn9uR9g9TRgeBNjWP2

    Score
    1/10
    behavioral1behavioral2

    • Target

      Update_121.0.616.js

    • Size

      2.1MB

    • MD5

      06d126c1c612fff5200d81d27a55146d

    • SHA1

      855c4d47c573c62f73c339a9392fb22265c0a884

    • SHA256

      6369daabaaddeae0814f8ad5a1a931d180a32d7ef9c5738215aead2f6a90849c

    • SHA512

      f29999b32558e4b3689b2439521c0266aba92afa312e4f230b4b7a0932ddfcc0b8141a77d966734bd65dba5f38cb714cf814bf4e42491709a99716b005f6b0d7

    • SSDEEP

      49152:blHeolHeolHeolHeolHeolHeolHeolHeolHeolHeolHeolHeTlHeolHeolHeolHJ:bhhhhhhhhhhhQhhhhhhhhhhhhhhhhhhd

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks