Overview

overview

10

Static

static

4

Qm9CQ0KLQl...?=.pdf

windows7-x64

3

Qm9CQ0KLQl...?=.pdf

windows10-2004-x64

10

Resubmissions

12-02-2025 11:26

250212-nj99xsyqgr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12-02-1.eml

  • Size

    278KB

  • Sample

    250212-nj99xsyqgr

  • MD5

    715d1690f52a1f84d5dde04595ec30ef

  • SHA1

    47f62e5f87132ce3049eb9726baa5319b8268e6b

  • SHA256

    259e85c4c33dc04bb5b7d4d13f3b328de26d380fc403d15c12755dc2fc98f522

  • SHA512

    4aa5b8e9a2d3ebe4c708ea833775df40f6bac798e951e36d37e89c8671fafd8976d8cb74f621699854b3d589378f30003faa0c7ec3fe0c83253cf9f879cf3134

  • SSDEEP

    6144:n9HXoiW1xexZdl5bUyV9xNGOtkW8njUPFfz:nxXoiwKYynG6z

Score
10/10
netsupportadwarediscoveryexecutionlinkpdfpersistenceprivilege_escalationqrratstealer

Malware Config

Targets

    • Target

      Qm9CQ0KLQldCW0J3QkCDQhtCd0KHQotCg0KPQmtCm0IbQr18wMDAwMDcy?= =?utf-8?B?Mi5wZGY=?=

    • Size

      194KB

    • MD5

      c6846a7fa898d72e118a5c5aa7daef92

    • SHA1

      6faecdd8fc54992d5380f8f84bc5d8d34cc6c799

    • SHA256

      405c43e0efaa8428373b32a9f114e317babc2d22339ddf2116aa72d4691df051

    • SHA512

      28d56c084e33d46a64733468e2aaf7a6fb30982a0974dcb8d3d0c8d34c12c86315450ae8993ba965dc6d45c19a4f824444bbac375e5100c0d1695b0cac834b1c

    • SSDEEP

      6144:rjzzkdi1pv2BdYgZ1VzkR9YwPfslTdCbBI:rrkdi1RkSk1VzkR9YwsqBI

    Score
    10/10
    discoverynetsupportadwareexecutionpersistenceprivilege_escalationratstealer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Netsupport family

      netsupport

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

6
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks