netsupport | aaad6ee087c6942dad2e084453cafe83cd6ec26f62dbe43b1254345828f7cbac | Triage

Sharing

General

Target

c-users-bcrabtree-downloads-update-js.txt
Size

5.2MB
Sample

240823-s2l29ssfpg
MD5

9967ea6d3719ab8cc181766ba7098b3b
SHA1

f26c05f206a6d06761f46abd40ae1aa381861d73
SHA256

aaad6ee087c6942dad2e084453cafe83cd6ec26f62dbe43b1254345828f7cbac
SHA512

d64b3d3a45c2dee4fd712444903992757772187ead4a0f23d5856270c18c0c80eb7626404b1104a41cae42decd5be16c137b41608c335e994fe1a40ed6eb8f59
SSDEEP

49152:6sz6FvpOiHY7sz6FvpOiHYXsz6FvpOiHY7sz6FvpOiHYIsz6FvpOiHY7sz6FvpO8:60WQ0Ws0WQ0Wz0WQ0Ws0WQ0W5

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://aweland.store/data.php?11448

exe.dropper

https://aweland.store/data.php?11448

Targets

- Target
  
  c-users-bcrabtree-downloads-update-js.txt
- Size
  
  5.2MB
- MD5
  
  9967ea6d3719ab8cc181766ba7098b3b
- SHA1
  
  f26c05f206a6d06761f46abd40ae1aa381861d73
- SHA256
  
  aaad6ee087c6942dad2e084453cafe83cd6ec26f62dbe43b1254345828f7cbac
- SHA512
  
  d64b3d3a45c2dee4fd712444903992757772187ead4a0f23d5856270c18c0c80eb7626404b1104a41cae42decd5be16c137b41608c335e994fe1a40ed6eb8f59
- SSDEEP
  
  49152:6sz6FvpOiHY7sz6FvpOiHYXsz6FvpOiHY7sz6FvpOiHYIsz6FvpOiHY7sz6FvpO8:60WQ0Ws0WQ0Wz0WQ0Ws0WQ0W5
Score

10^/10

execution netsupport discovery persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportdiscoveryexecutionpersistencerat