netsupport | f43237bf898b7cb606808cf42466be3d306394ed8d1e0a0f0342bb6d3a4b6da1 | Triage

Sharing

General

Target

ba583aa6128b64d9c417f5463d6716aa6d112c77cc69e9a643dafa8fb7738b99.zip
Size

430KB
Sample

240831-sb2p2azarg
MD5

3baff31b58811cec03deb0156d0a04e5
SHA1

cd38495a00b3d2b387595537afcf0aabc94fa46f
SHA256

f43237bf898b7cb606808cf42466be3d306394ed8d1e0a0f0342bb6d3a4b6da1
SHA512

dab712ea11c32af7b94961797b5c1b2c2c7331d8bb33df5dd43fcb7c497249da3161c133d5f24658af75ae1139214145cd922d0c27576622482e23def452e301
SSDEEP

12288:oCnGM0IFRh1QOBJFIqSvxDNxSseGyu6URNs:NnTFhvFIqSvDciyu6UNs

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentyrooms.com/cdn-vs/data.php?13536

exe.dropper

https://rentyrooms.com/cdn-vs/data.php?13536

Targets

- Target
  
  ba583aa6128b64d9c417f5463d6716aa6d112c77cc69e9a643dafa8fb7738b99
- Size
  
  2.6MB
- MD5
  
  e9af416c1c0773cb7a689c8a58ee5150
- SHA1
  
  482c487c48694e335832024d93b575ecfb7c0d2b
- SHA256
  
  ba583aa6128b64d9c417f5463d6716aa6d112c77cc69e9a643dafa8fb7738b99
- SHA512
  
  2653d1b113562ec37d0c105006501aae0cc906bba123e376a85a2894885d66d5edc9669a6d930402875713d02df0fa9d05920078b5711fe162cf43c70ca3a2b6
- SSDEEP
  
  49152:6sz6FvpOiHY7sz6FvpOiHYUsz6FvpOiHY7sz6FvpOiHY0:60WQ0Wp0WQ0W5
Score

10^/10

execution netsupport discovery persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportdiscoveryexecutionpersistencerat