netsupport | 0f4e0561a97a1d9aa5886b68edbf866270b30fb2f06ee38806d90f046cc1266f | Triage

Sharing

General

Target

boxter.ps1.ps1
Size

833B
Sample

240422-levbsshh77
MD5

b03ddc7f6f6b1dba0c88ec632c049ddf
SHA1

89871df8e008514031638322a700b5f7bfd3dd11
SHA256

0f4e0561a97a1d9aa5886b68edbf866270b30fb2f06ee38806d90f046cc1266f
SHA512

901329ea08cd46cfe3f3f7bc003c1999e0cefc08393bd59cd4ebbc8e417e76e11b10f3754888e7fff3d42f04cd94a04c519c0d907b5b9a20fd0f14ad1de21342

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://extendaloan.com/2345703467245762476247.txt

Targets

- Target
  
  boxter.ps1.ps1
- Size
  
  833B
- MD5
  
  b03ddc7f6f6b1dba0c88ec632c049ddf
- SHA1
  
  89871df8e008514031638322a700b5f7bfd3dd11
- SHA256
  
  0f4e0561a97a1d9aa5886b68edbf866270b30fb2f06ee38806d90f046cc1266f
- SHA512
  
  901329ea08cd46cfe3f3f7bc003c1999e0cefc08393bd59cd4ebbc8e417e76e11b10f3754888e7fff3d42f04cd94a04c519c0d907b5b9a20fd0f14ad1de21342
Score

10^/10

netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportpersistencerat