netsupport | c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634

Analysis

max time kernel
101s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2024, 16:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

das.php.zip
Size

2.2MB
MD5

0cc4ae68865ad3c85c1373f28ef04f81
SHA1

3572e86c09e8142ada3779d2aaaa46268c992273
SHA256

c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634
SHA512

d110b21e5981165bd497d6d174233b4a517a16afe185c14e90064af2f6e0baf4c117626cb067b7ec4c57600dbf770bc68f942e936c26ab6402c125a1ead29003
SSDEEP

49152:a51ZlklEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTSR:E1tFXa/hRFY89YYc9jh23redpmQRY

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Executes dropped EXE 1 IoCs

pid	Process
4408	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
4408	client32.exe
4408	client32.exe
4408	client32.exe
4408	client32.exe
4408	client32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4352	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4352	7zFM.exe
Token: 35	4352	7zFM.exe
Token: SeSecurityPrivilege	4352	7zFM.exe
Token: SeSecurityPrivilege	4408	client32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4352	7zFM.exe
4352	7zFM.exe
4408	client32.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\das.php.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5084

C:\Users\Admin\Desktop\Teste\client32.exe
"C:\Users\Admin\Desktop\Teste\client32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4408

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

81.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.139.73.23.in-addr.arpa

IN PTR

Response

81.139.73.23.in-addr.arpa

IN PTR

a23-73-139-81deploystaticakamaitechnologiescom
DNS

geo.netsupportsoftware.com

client32.exe

Remote address:

8.8.8.8:53

Request

geo.netsupportsoftware.com

IN A

Response

geo.netsupportsoftware.com

IN A

104.26.0.231

geo.netsupportsoftware.com

IN A

172.67.68.212

geo.netsupportsoftware.com

IN A

104.26.1.231
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

104.26.0.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Nov 2024 16:43:12 GMT
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8e30b2ecf946886b-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HmaBqvDNYuUtMCqhE2tcNql5dZlCB5BUrQc%2FQ7e%2FciZE4qgM6fpYAQQ9KXAYO6Ti1zl5J7mMORb0lbu%2BO3wQLY5kK33DtxMlFAs3y8WjrA%2FlSDAdNby2JJq5BfGXzL9h4TJxyWv%2FQuv0BoKq"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
server-timing: cfL4;desc="?proto=TCP&rtt=26564&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

104.26.0.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Nov 2024 16:43:13 GMT
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8e30b2edeecf79af-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tgd%2Blloy8wxEphXWELhnHyA9b0kEJjd6Dl38uctOKc8Hz2MR9PbpdS4rCqO%2BttJaD%2BN8QU%2BGCdQtoqQ8jz3rO2Z%2Fkk5ldjFkZxLnP0Q86wEb4koHd%2Fs2%2BCH%2BHb77QohL4LlP90d%2BS5sp4WIy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
server-timing: cfL4;desc="?proto=TCP&rtt=26612&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

104.26.0.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 15 Nov 2024 16:43:13 GMT
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8e30b2eecbd2cd16-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XI9wNxcQ5HSjB8%2B7k1y1aUg0CvVeC6h7dx%2BQQ2YaSI3tadJq01R8esl4bW3KauYIPgoISzZFyaqxGPnDLYDNtwPwRTdtyFAh88ElsSgzg%2BzqzkC0UAoV6pOpmd4DRRuRW3pRN%2BHtNCLnNb11"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
server-timing: cfL4;desc="?proto=TCP&rtt=26638&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

143.159.181.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.159.181.5.in-addr.arpa

IN PTR

Response

143.159.181.5.in-addr.arpa

IN PTR

5-181-159-143 mivocloudcom
DNS

231.0.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

231.0.26.104.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

5.181.159.143:443

http

client32.exe

1.7kB
774 B
7
6
104.26.0.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

440 B
1.3kB
7
4

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404
104.26.0.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

440 B
1.3kB
7
4

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404
104.26.0.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

440 B
1.3kB
7
4

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

81.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

81.139.73.23.in-addr.arpa
8.8.8.8:53

geo.netsupportsoftware.com

dns

client32.exe

72 B
120 B
1
1

DNS Request

geo.netsupportsoftware.com

DNS Response

104.26.0.231

172.67.68.212

104.26.1.231
8.8.8.8:53

143.159.181.5.in-addr.arpa

dns

72 B
113 B
1
1

DNS Request

143.159.181.5.in-addr.arpa
8.8.8.8:53

231.0.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

231.0.26.104.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Teste\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\Desktop\Teste\NSM.LIC

Filesize
195B

MD5
e9609072de9c29dc1963be208948ba44

SHA1
03bbe27d0d1ba651ff43363587d3d6d2e170060f

SHA256
dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

SHA512
f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

Download Submit
C:\Users\Admin\Desktop\Teste\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\Desktop\Teste\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\Desktop\Teste\client32.ini

Filesize
669B

MD5
f734588a7620c48021688d3c2940353a

SHA1
c9b9aece48b4c134b838217426145fdd542f60e6

SHA256
97a2ce9683de5c9e03331d22309b5348f45cf65e77b1f011ba3505e2deafafc6

SHA512
0549dcc50347802c774078f6f9ecfec2b21b0c489aa8e96168ea12a2cec55169d4172baac13819a07686755697794f05ac5b75d554229faf268f9e64f54e2033

Download Submit
C:\Users\Admin\Desktop\Teste\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Desktop\Teste\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\Desktop\Teste\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.