netsupport | 7ffa3d0d460fdaaba450e3f74e4420e152d27185166421e91a853c04f24acb77 | Triage

Sharing

General

Target

cd878585f2e6447f52d1ccba5ae7739c55d8e441dde781548229dffe71e94319.zip
Size

1.0MB
Sample

240816-rnjvbashmq
MD5

8e386ab35d450b6a59134df006697219
SHA1

c4ac5366f507b9108dc66ac7e61a26acf7fcb660
SHA256

7ffa3d0d460fdaaba450e3f74e4420e152d27185166421e91a853c04f24acb77
SHA512

e8786a846b18fd55417c33ffccbf49bbaae90e974dc4c594570649904a5ab7520f5f020ea7ea3320ddae0dd14a48cd65edc7bd59e491895c5ce21fcc19cf9531
SSDEEP

24576:btgwfPkRzqsY9Yxh3702SkHnbbzLjQNBzPKw2+f:dcV/9h3702SgbbvjQ3zpf

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://estafetaofj.top/data.php?14473

exe.dropper

https://estafetaofj.top/data.php?14473

Targets

- Target
  
  cd878585f2e6447f52d1ccba5ae7739c55d8e441dde781548229dffe71e94319.mal_
- Size
  
  5.2MB
- MD5
  
  d9dddf370ea4db7a0ef38c35cfb16375
- SHA1
  
  ce1e20428a625a32123ade0effab2ab51944df7d
- SHA256
  
  cd878585f2e6447f52d1ccba5ae7739c55d8e441dde781548229dffe71e94319
- SHA512
  
  46a967a055dc8bb89c2d830ab125c7e0172880b700e33131f0a714492f46e74940b350c85aff37c99bad5a01513244dfb2861f30c612e3f685ce0d7eb87f7abe
- SSDEEP
  
  24576:ndtGeTldtGeT5xr4RQgdxxr4RQgdd3a00cpt9i3a00cpt95:nvlv51gdx1gdd3bFi3bF5
Score

10^/10

netsupport discovery execution persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportdiscoveryexecutionpersistencerat

behavioral2

discoveryexecution