General
-
Target
cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.exe
-
Size
21.4MB
-
Sample
250129-z4frlazlav
-
MD5
c50fd06f02edb960eccb1fa95574a2a8
-
SHA1
a152464e017a557a2514e4a928be0aaecdd3ac23
-
SHA256
78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d
-
SHA512
9d148fb958afa03e1eb2b40cd9ed6e2a929d439811d0d7191f0da1a1263e58a1c787d2dcc43acb9f97e374e3eee2632a91d6c1fa1797e14e1639833ff024498b
-
SSDEEP
393216:qaPjW5fGPD4ZMpbLV6olaLYBFb+R3Oaa57/WsSej93Wafvp0Ye5wiiuJp7r+Z+sw:VYZMyL0F6R+5Cxej93r3Ppip7vI+sP3Y
Malware Config
Targets
-
-
Target
cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.exe
-
Size
21.4MB
-
MD5
c50fd06f02edb960eccb1fa95574a2a8
-
SHA1
a152464e017a557a2514e4a928be0aaecdd3ac23
-
SHA256
78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d
-
SHA512
9d148fb958afa03e1eb2b40cd9ed6e2a929d439811d0d7191f0da1a1263e58a1c787d2dcc43acb9f97e374e3eee2632a91d6c1fa1797e14e1639833ff024498b
-
SSDEEP
393216:qaPjW5fGPD4ZMpbLV6olaLYBFb+R3Oaa57/WsSej93Wafvp0Ye5wiiuJp7r+Z+sw:VYZMyL0F6R+5Cxej93r3Ppip7vI+sP3Y
Score10/10-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-