netsupport | 67f7d43359b5087579c9eb9b1c8201c8168f56c8dfb00b2f0f8c4960b3ebb683 | Triage

Sharing

General

Target

Update.js
Size

6.7MB
Sample

240925-wtdygazbmp
MD5

ca8853d69abc5af704d4a71d2da11f83
SHA1

7c5179a432de485c26a660dd025a3b20ef0d7345
SHA256

67f7d43359b5087579c9eb9b1c8201c8168f56c8dfb00b2f0f8c4960b3ebb683
SHA512

c5df1d8c8b23910cff388da28667526d16855c4459e91b860a0000d931c3fb1506d2ec75ae49a53f21a3bf3eec323e7d1d319c323444406650786e6ad43b3de4
SSDEEP

49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fuJCz4F9dM2furCz4F9dMf:OkGgkGMkGgkGSkGgkGcR

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://roadrunnersell.com/trade/d.php?10783

exe.dropper

https://roadrunnersell.com/trade/d.php?10783

Targets

- Target
  
  Update.js
- Size
  
  6.7MB
- MD5
  
  ca8853d69abc5af704d4a71d2da11f83
- SHA1
  
  7c5179a432de485c26a660dd025a3b20ef0d7345
- SHA256
  
  67f7d43359b5087579c9eb9b1c8201c8168f56c8dfb00b2f0f8c4960b3ebb683
- SHA512
  
  c5df1d8c8b23910cff388da28667526d16855c4459e91b860a0000d931c3fb1506d2ec75ae49a53f21a3bf3eec323e7d1d319c323444406650786e6ad43b3de4
- SSDEEP
  
  49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fuJCz4F9dM2furCz4F9dMf:OkGgkGMkGgkGSkGgkGcR
Score

10^/10

execution netsupport discovery persistence rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

netsupportdiscoveryexecutionpersistencerat