netsupport | 10585bbc8a42ce31feda61126cd245ec22d98870fde6c2742d44ef08eaa11b67 | Triage

Sharing

General

Target

updates.js
Size

7.3MB
Sample

240605-t1gltsca7z
MD5

a05000c90cff2539713a0c3036ddde7d
SHA1

906117ba8d23127d1f60c2bbb50415038e0933d1
SHA256

10585bbc8a42ce31feda61126cd245ec22d98870fde6c2742d44ef08eaa11b67
SHA512

554662f8fe351e9dc8f9e7cbf4fd072d4cbcd2e7ca31699c959bfc3106630acb52d1e14e368ba75182ae150db72422aba7052cad3b3e5a64120ae02bd2e80542
SSDEEP

49152:e7h4zjCxb7qHlp4XONN0G7h20kQmwYzYMm7u+8wgJ3wr/xN1GIWx3qpWROg2cE0M:p

Score

10^/10

netsupport execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://lilygovert91.top/data.php?13264

exe.dropper

http://lilygovert91.top/data.php?13264

Targets

- Target
  
  updates.js
- Size
  
  7.3MB
- MD5
  
  a05000c90cff2539713a0c3036ddde7d
- SHA1
  
  906117ba8d23127d1f60c2bbb50415038e0933d1
- SHA256
  
  10585bbc8a42ce31feda61126cd245ec22d98870fde6c2742d44ef08eaa11b67
- SHA512
  
  554662f8fe351e9dc8f9e7cbf4fd072d4cbcd2e7ca31699c959bfc3106630acb52d1e14e368ba75182ae150db72422aba7052cad3b3e5a64120ae02bd2e80542
- SSDEEP
  
  49152:e7h4zjCxb7qHlp4XONN0G7h20kQmwYzYMm7u+8wgJ3wr/xN1GIWx3qpWROg2cE0M:p
Score

10^/10

execution netsupport persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportexecutionpersistencerat