netsupport | 82ddf074c4a3eada480979953ff59750cae41723995a601abc01268569c2038d | Triage

Sharing

General

Target

astronomicspace.com_main.php__
Size

12.6MB
Sample

240805-rbw9waxhrj
MD5

05573c6b7a7f22701ac8053d4fc7c55c
SHA1

9daf45a1592d0bb5bebfdc35857d634a6889081a
SHA256

82ddf074c4a3eada480979953ff59750cae41723995a601abc01268569c2038d
SHA512

572546e637a4fd57f326b3f54cf5c9c12a5cf24d82b33da8ced077651385f5c45f14c89b676c245f414cecd6f309fc92486f01bdcfa8110fe9f550730251ea13
SSDEEP

49152:MT44Fx9csgNhxf30trtv0OWuGi0EfdxQI4DRjIzAyOEaW3TzqXCBLN1DfVNjDu06:b

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://c08d.top/data.php?10030

exe.dropper

http://c08d.top/data.php?10030

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://c08d.top/data.php?10758

exe.dropper

http://c08d.top/data.php?10758

Targets

- Target
  
  astronomicspace.com_main.php__
- Size
  
  12.6MB
- MD5
  
  05573c6b7a7f22701ac8053d4fc7c55c
- SHA1
  
  9daf45a1592d0bb5bebfdc35857d634a6889081a
- SHA256
  
  82ddf074c4a3eada480979953ff59750cae41723995a601abc01268569c2038d
- SHA512
  
  572546e637a4fd57f326b3f54cf5c9c12a5cf24d82b33da8ced077651385f5c45f14c89b676c245f414cecd6f309fc92486f01bdcfa8110fe9f550730251ea13
- SSDEEP
  
  49152:MT44Fx9csgNhxf30trtv0OWuGi0EfdxQI4DRjIzAyOEaW3TzqXCBLN1DfVNjDu06:b
Score

10^/10

netsupport discovery execution persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportdiscoveryexecutionpersistencerat