netsupport | dc4be6108556c83d14c4502cba0da6a1a42a01dbf2e0edc8bfd3bd922b86d734 | Triage

Resubmissions

28-03-2024 06:11

240328-gxnvhscd42 10

19-03-2024 23:47

240319-3s3zjabf4x 10

Analysis

max time kernel
122s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 06:11

Sharing

Report Analysis Logs

General

Target

client32.exe
Size

117KB
MD5

a2b46c59f6e7e395d479b09464ecdba0
SHA1

92c132307dd21189b6d7912ddd934b50e50d1ec1
SHA256

89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
SHA512

4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916
SSDEEP

768:rNd8VZl6FhWr80/aVr2pe/1G42KFKcMkjWBr2pe/zcKFKcMkA:rfO0hGSBee/1GVIrveee/IIrU

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1632	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1632	client32.exe

C:\Users\Admin\AppData\Local\Temp\client32.exe
"C:\Users\Admin\AppData\Local\Temp\client32.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads