netsupport | b137bcb29d0d26422581e4e556bc1f9f29096d21de865c7d1a3e945434edd07f | Triage

Sharing

General

Target

Telex58734.pdf.lnk
Size

1KB
Sample

240529-tny1cacb24
MD5

ee0e01d5cde42c26bba7e8b06380c146
SHA1

042c5bf844185917bd38d86b88640656b8710c2b
SHA256

b137bcb29d0d26422581e4e556bc1f9f29096d21de865c7d1a3e945434edd07f
SHA512

2af9903fb458549dab35e290229d62a68f692dacb3515d66e092b86bc24e8e4c4e79c80ab6d0df42a0e11365f27ece414acc04f4932f23dd588ce89e89f98831

Score

10^/10

netsupport execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://compliancekyc.s3.eu-west-1.amazonaws.com/jv.exe

Targets

- Target
  
  Telex58734.pdf.lnk
- Size
  
  1KB
- MD5
  
  ee0e01d5cde42c26bba7e8b06380c146
- SHA1
  
  042c5bf844185917bd38d86b88640656b8710c2b
- SHA256
  
  b137bcb29d0d26422581e4e556bc1f9f29096d21de865c7d1a3e945434edd07f
- SHA512
  
  2af9903fb458549dab35e290229d62a68f692dacb3515d66e092b86bc24e8e4c4e79c80ab6d0df42a0e11365f27ece414acc04f4932f23dd588ce89e89f98831
Score

10^/10

netsupport execution rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportexecutionrat