netsupport | 980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d

General

Target

77970896073BBAFDC8C1811414C62536.exe
Size

2.1MB
MD5

77970896073bbafdc8c1811414c62536
SHA1

c2d2fdbc9e80daa95e3046e2d3bd13e7ca312e18
SHA256

980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d
SHA512

5fc31572ad864ca15cd2eb7e8baadc62b72a72ad5d28da4ae04158f67b6cbfd1985983586fd6e51a4781bdffbdd557b30d44d38a3a37ae88cf785c834d739a30
SSDEEP

49152:/Xe2JFJ0l5VO6T9xX2AdPj15GZ0yB/dqyvVamJW:/Xe2JFJ0liu3GAdPj15GZft6

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunner201.ini.lnk	77970896073BBAFDC8C1811414C62536.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	client32.exe

Loads dropped DLL 10 IoCs

pid	Process
1132	77970896073BBAFDC8C1811414C62536.exe
1132	77970896073BBAFDC8C1811414C62536.exe
1132	77970896073BBAFDC8C1811414C62536.exe
1132	77970896073BBAFDC8C1811414C62536.exe
1132	77970896073BBAFDC8C1811414C62536.exe
2572	client32.exe
2572	client32.exe
2572	client32.exe
2572	client32.exe
2572	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2572	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2572	client32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2572	1132	77970896073BBAFDC8C1811414C62536.exe	28
PID 1132 wrote to memory of 2572	1132	77970896073BBAFDC8C1811414C62536.exe	28
PID 1132 wrote to memory of 2572	1132	77970896073BBAFDC8C1811414C62536.exe	28
PID 1132 wrote to memory of 2572	1132	77970896073BBAFDC8C1811414C62536.exe	28
PID 1132 wrote to memory of 2572	1132	77970896073BBAFDC8C1811414C62536.exe	28
PID 1132 wrote to memory of 2572	1132	77970896073BBAFDC8C1811414C62536.exe	28
PID 1132 wrote to memory of 2572	1132	77970896073BBAFDC8C1811414C62536.exe	28

C:\Users\Admin\AppData\Local\Temp\77970896073BBAFDC8C1811414C62536.exe
"C:\Users\Admin\AppData\Local\Temp\77970896073BBAFDC8C1811414C62536.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe
  "C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2572

Network

DNS

Amnahuseta19.com

client32.exe

Remote address:

8.8.8.8:53

Request

Amnahuseta19.com

IN A

Response
DNS

geo.netsupportsoftware.com

client32.exe

Remote address:

8.8.8.8:53

Request

geo.netsupportsoftware.com

IN A

Response

geo.netsupportsoftware.com

IN A

104.26.0.231

geo.netsupportsoftware.com

IN A

172.67.68.212

geo.netsupportsoftware.com

IN A

104.26.1.231
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

104.26.0.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 13 Apr 2024 11:16:13 GMT
Content-Type: text/html; Charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 873b0aedfb4f53a5-LHR
CF-Cache-Status: DYNAMIC
Access-Control-Allow-Origin: *
Cache-Control: private
Set-Cookie: ASPSESSIONIDSSRSABDA=LBGLNONAAAFGHFKDJHOABJEJ; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
cf-apo-via: origin,host
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mqye3WMQsQYB0%2BW%2BXchd0Y%2BJ%2FmkYpdl22riKpQUiZ%2FyxTooyCYarFUVuhTZN0WRQYxullxp067gEIGmQyXJmwceO5bieXMbu62SNi2RRW%2FzdhnKMCGRXOShDuDWDIuzsbW3IYf2ljvMbBvwY"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
DNS

Amnahuseta20.com

client32.exe

Remote address:

8.8.8.8:53

Request

Amnahuseta20.com

IN A

Response

Amnahuseta20.com

IN A

127.0.0.127
DNS

Amnahuseta19.com

client32.exe

Remote address:

8.8.8.8:53

Request

Amnahuseta19.com

IN A

Response
DNS

Amnahuseta19.com

client32.exe

Remote address:

8.8.8.8:53

Request

Amnahuseta19.com

IN A
DNS

Amnahuseta20.com

client32.exe

Remote address:

8.8.8.8:53

Request

Amnahuseta20.com

IN A

Response

Amnahuseta20.com

IN A

127.0.0.127

104.26.0.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

394 B
1.2kB
6
5

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

200
127.0.0.127:3122

client32.exe
127.0.0.127:3122

client32.exe

8.8.8.8:53

Amnahuseta19.com

dns

client32.exe

62 B
62 B
1
1

DNS Request

Amnahuseta19.com
8.8.8.8:53

geo.netsupportsoftware.com

dns

client32.exe

72 B
120 B
1
1

DNS Request

geo.netsupportsoftware.com

DNS Response

104.26.0.231

172.67.68.212

104.26.1.231
8.8.8.8:53

Amnahuseta20.com

dns

client32.exe

62 B
78 B
1
1

DNS Request

Amnahuseta20.com

DNS Response

127.0.0.127
8.8.8.8:53

Amnahuseta19.com

dns

client32.exe

124 B
62 B
2
1

DNS Request

Amnahuseta19.com

DNS Request

Amnahuseta19.com
8.8.8.8:53

Amnahuseta20.com

dns

client32.exe

62 B
78 B
1
1

DNS Request

Amnahuseta20.com

DNS Response

127.0.0.127

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\updtewinsup221\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\NSM.LIC

Filesize
261B

MD5
886e4bb84e1ecc4a04ae599d76fcce1d

SHA1
3f0493bb2088af50bcc8223462db0b207354e946

SHA256
5eeb014e3b390e0c85ce72988d422dcd9de1520566b11755c70bdd9bb7376060

SHA512
f4db9038a113c4b1e2462b3e0becef2500c9532a79c8187f51d011d690bc68c6d1a99585e43136cb082bd6a232136546db50265f226ff19e67d8430306a8761f

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\PCICL32.dll

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.ini

Filesize
761B

MD5
d08afe2af7e89b127b3e9388ea505915

SHA1
f9d9e682417410d7046c7ecf6958458f245c9eff

SHA256
7fb2efd09c92cff4d5cb3efb26628aba91ec17f28c0dbdb407384dbc4627d7f8

SHA512
ce521154ba568fb27bddcb02fe6211294717d2d541cb25bcf6ab8bfe4dae74316c12df9754dc98473037d5610f8b70e02337f9c96fe9426e24ad86b91eb207a3

Download Submit
\Users\Admin\AppData\Roaming\updtewinsup221\PCICHEK.DLL

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\updtewinsup221\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\AppData\Roaming\updtewinsup221\pcicapi.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.