netsupport | 043b4b669bfb4c8c12bcd6c66925b9ef3d8c78bf7a56c79dc07862b1c6c21f1d | Triage

Sharing

General

Target

updates.js
Size

2.7MB
Sample

240727-aswagaxhjg
MD5

9dee96d1aed9f08a3b40bcf3c26ade1e
SHA1

500db417d1c81725a4a8a6cbe18b77fd0c58c7f3
SHA256

043b4b669bfb4c8c12bcd6c66925b9ef3d8c78bf7a56c79dc07862b1c6c21f1d
SHA512

5d82faa0cd03e5a5a4107c9303cd1525ee23cefe3b83e282667ec76501912ea7f050b184d0865db0b1e6ba66962052f2b4a178a41b4b24d058d6f4302423d09a
SSDEEP

49152:DA4yxjzCgTpCffzZtrCP7sQs0iy/ss7+ZdhN6j4GusjtWsDtzXY7aIvJLwHcw1bI:f

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://hhic.top/data.php?12760

exe.dropper

http://hhic.top/data.php?12760

Targets

- Target
  
  updates.js
- Size
  
  2.7MB
- MD5
  
  9dee96d1aed9f08a3b40bcf3c26ade1e
- SHA1
  
  500db417d1c81725a4a8a6cbe18b77fd0c58c7f3
- SHA256
  
  043b4b669bfb4c8c12bcd6c66925b9ef3d8c78bf7a56c79dc07862b1c6c21f1d
- SHA512
  
  5d82faa0cd03e5a5a4107c9303cd1525ee23cefe3b83e282667ec76501912ea7f050b184d0865db0b1e6ba66962052f2b4a178a41b4b24d058d6f4302423d09a
- SSDEEP
  
  49152:DA4yxjzCgTpCffzZtrCP7sQs0iy/ss7+ZdhN6j4GusjtWsDtzXY7aIvJLwHcw1bI:f
Score

10^/10

execution netsupport discovery persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportdiscoveryexecutionpersistencerat

behavioral3

netsupportdiscoveryexecutionpersistencerat

behavioral4

netsupportdiscoveryexecutionpersistencerat