netsupport | 68672e134eeb33ed9beede872a000843694e382697abf3309cafa6367b6c7154 | Triage

Sharing

General

Target

19091416721.zip
Size

3.0MB
Sample

240919-pmjrtayenr
MD5

98b696dcc9fd03b0bb7823e88b599462
SHA1

bfb41a5c734636a5824f4c02478fbed887e648e1
SHA256

68672e134eeb33ed9beede872a000843694e382697abf3309cafa6367b6c7154
SHA512

7310e1668c25165b4f19e183a7dbcbc68f3c56701a8fc5d1da12c975bceecefe6588b8164389d12e97ffc8504f7200d0bb0bfb49ecc85b4a13de268e14285b48
SSDEEP

98304:bOelXn6W/K33LBGxjL6VhPc8XpA9r3NtfLexZtcA:bNxnkngX6zGB7fLexZtcA

Score

10^/10

netsupport discovery evasion execution persistence rat

Malware Config

Targets

- Target
  
  ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e
- Size
  
  6.2MB
- MD5
  
  f30257ceae9a67d36a4e62f20ca7da00
- SHA1
  
  e3ca7a72b61fac410b406163ecc299b89f01224a
- SHA256
  
  ea34bd669623b802574b8da23549a66227b7aea5480e80289ec8b2ff6dc5cd7e
- SHA512
  
  f301745a2474911510066eb58178a804c1aedff3f40102b1ecd6078dd87ee59f12dd6217c23481c1ef78ab625079e1a733ae70d7de470a321802a5f0afcf378b
- SSDEEP
  
  98304:Cwi471aEj6tOKNnwp2QNNVNDP+f4GXpcNB6wijexMRq:I4AErp2oWj5fjexb
Score

10^/10

netsupport discovery evasion rat execution persistence
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportdiscoveryevasionrat

behavioral3

behavioral4

netsupportdiscoveryevasionexecutionpersistencerat