netsupport | 89dab4aad85879ed827c8d60f1d422df4ed82898fd61405da669022f49410412 | Triage

Sharing

General

Target

MDE_File_Sample_31fb7afe1920ef2860bd569bb3aa315ee0d0a8e9.zip
Size

5.8MB
Sample

240506-p273ysca9x
MD5

0044ba572da02ad909bfab36ce5b52af
SHA1

b5e55e1d4be9ab0c83105875566b11abc25192eb
SHA256

89dab4aad85879ed827c8d60f1d422df4ed82898fd61405da669022f49410412
SHA512

6079023ab759d094237e5f3a15b9e4d7c49db2c1441ee2c8f89a15f71a2b8ba38f0db0216bef25e100d77a0c12221c343f645334dfbe8a5c35cac6eb180a69a0
SSDEEP

98304:kWrJqcq4zJMjbKNu75EgNKTnkaVzbQKpIC5cPPWIh4eq+8TiK6WoUN1qt3/7B:3zJMSA7CfTnk6b5p55YP3h4eqtTiK6tt

Score

10^/10

netsupport execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pdd888167.top/data.php?7057

exe.dropper

https://pdd888167.top/data.php?7057

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pdd888167.top/data.php?11886

exe.dropper

https://pdd888167.top/data.php?11886

Targets

- Target
  
  Update_123.0.6312.111.js
- Size
  
  22.4MB
- MD5
  
  c0e810d8e3142bfc0c5cd606e1316f5f
- SHA1
  
  61f4b334b4a2a723469a65a3c16361f578b7ef2d
- SHA256
  
  c44c75c3724806765edb1de79f9c459980537761769d54dc173540cf7d0775f5
- SHA512
  
  3f527308119d90e39ec431366020842873d3d1da3886aadca04d8e8f1509324742766d6b0663af1e2f42f5416d4c2015a89afde18248e6e746e6bcd700267a87
- SSDEEP
  
  49152:I7VIzjCxbeqHlp4WhwN0b/hJ9EiItYzYqmZV+86OL3t0/r39GoD53quUQKugpcEa:W
Score

10^/10

execution netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportexecutionpersistencerat