netsupport | 0dc3a40e9f726f18e3ebac92ee5944d9c12b2ee71252f2b711434c3628877ca1 | Triage

Sharing

General

Target

0dc3a40e9f726f18e3ebac92ee5944d9c12b2ee71252f2b711434c3628877ca1
Size

2.6MB
Sample

240905-h7rjtswfmg
MD5

2a6667f1c14bb04e8e149f416406264b
SHA1

fe92948fecb44112ac77cd35f8537a614b5c2482
SHA256

0dc3a40e9f726f18e3ebac92ee5944d9c12b2ee71252f2b711434c3628877ca1
SHA512

931b64a7f856057781f876cd769a486482a7455038fa52c823339784172decaf1fd5feabbd1a67a65be248f3a881d497e7ae99f33661f2228d827871883f9e16
SSDEEP

49152:6sz6FvpOiHY7sz6FvpOiHYqsz6FvpOiHY7sz6FvpOiHY0:60WQ0Wb0WQ0W5

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://kineticrockburgers.com/cdn-vs/data.php?13271

exe.dropper

https://kineticrockburgers.com/cdn-vs/data.php?13271

Targets

- Target
  
  0dc3a40e9f726f18e3ebac92ee5944d9c12b2ee71252f2b711434c3628877ca1
- Size
  
  2.6MB
- MD5
  
  2a6667f1c14bb04e8e149f416406264b
- SHA1
  
  fe92948fecb44112ac77cd35f8537a614b5c2482
- SHA256
  
  0dc3a40e9f726f18e3ebac92ee5944d9c12b2ee71252f2b711434c3628877ca1
- SHA512
  
  931b64a7f856057781f876cd769a486482a7455038fa52c823339784172decaf1fd5feabbd1a67a65be248f3a881d497e7ae99f33661f2228d827871883f9e16
- SSDEEP
  
  49152:6sz6FvpOiHY7sz6FvpOiHYqsz6FvpOiHY7sz6FvpOiHY0:60WQ0Wb0WQ0W5
Score

10^/10

execution netsupport discovery persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportdiscoveryexecutionpersistencerat