netsupport | e684b2f2cc1845651860ac109b02e9ff1dc36d8c92c5c6e558e65d9222c15c87 | Triage

Submit
Reports

Overview

overview

Static

static

4

Qm9CQ0KLQl...?=.pdf

windows7-x64

8

Qm9CQ0KLQl...?=.pdf

windows10-2004-x64

Sharing

General

Target

12-02-2.eml
Size

278KB
Sample

250212-nkrtzayrak
MD5

0c919e5e993acc66fd31d9bc7e52c2f3
SHA1

6b9ee918f2bc768d0feca71345902f678d2bb9cd
SHA256

e684b2f2cc1845651860ac109b02e9ff1dc36d8c92c5c6e558e65d9222c15c87
SHA512

eb483478aa11aabceddea905e38d77136841103baed9f33c457587a1c8c96a3b4476d08de0e6f15a2b48f234a2fc164573ce5d0f87c00d81d6dc3ae4cfa628e6
SSDEEP

6144:UuHXoiW1xexZdl5bUyV9NNGOtkW8njUPFfH:UQXoiwKYyDG6H

Score

10^/10

netsupport discovery execution link pdf persistence qr rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Qm9CQ0KLQldCW0J3QkCDQhtCd0KHQotCg0KPQmtCm0IbQr18wMDAwMDcy?= =?utf-8?B?OC5wZGY=?=.pdf

Resource

win7-20250207-en

discovery execution persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Qm9CQ0KLQldCW0J3QkCDQhtCd0KHQotCg0KPQmtCm0IbQr18wMDAwMDcy?= =?utf-8?B?OC5wZGY=?=.pdf

Resource

win10v2004-20250211-en

netsupport discovery execution persistence rat

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  Qm9CQ0KLQldCW0J3QkCDQhtCd0KHQotCg0KPQmtCm0IbQr18wMDAwMDcy?= =?utf-8?B?OC5wZGY=?=
- Size
  
  194KB
- MD5
  
  06e6c95ef183f7566b33ad46ea3c3164
- SHA1
  
  cd06d99bef4c9eed5bc71f8c2b5edfc37925c689
- SHA256
  
  2807336cb03f03064aaea8d78967fbb3e95abb69ded3bfd56b359e9cd501bbd5
- SHA512
  
  97fd003605924e4f0416b35f5319e7e9cdc1bb3e24eea45b13cc169648f4bbd231bb1b8a35626f93ba233504fdc9c1daeccfce2c9c7d9f772540068fe1c2a0c2
- SSDEEP
  
  6144:rbzzkdi1pv2BdYgZ1VzkR9YgPfslTdCbBM:rzkdi1RkSk1VzkR9YgsqBM
Score

10^/10

discovery execution persistence netsupport rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Netsupport family
  netsupport
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecutionpersistence

behavioral2

netsupportdiscoveryexecutionpersistencerat

© 2018-2025

Terms | Privacy