ANY.RUN<p>🚨 <a href="https://infosec.exchange/tags/Obfuscated" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Obfuscated</span></a> BAT file used to deliver NetSupport RAT </p><p>At the time of the analysis, the sample had not yet been submitted to <a href="https://infosec.exchange/tags/VirusTotal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VirusTotal</span></a> ⚠️ </p><p>👨💻 See sandbox session: <a href="https://app.any.run/tasks/db6fcb53-6f10-464e-9883-72fd7f1db294?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_bat_file&utm_content=linktoservice&utm_term=050625" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/db6fcb53-6f1</span><span class="invisible">0-464e-9883-72fd7f1db294?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_bat_file&utm_content=linktoservice&utm_term=050625</span></a> </p><p>🔗 Execution chain: <br>cmd.exe (BAT) ➡️ <a href="https://infosec.exchange/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PowerShell</span></a> ➡️ PowerShell ➡️ <a href="https://infosec.exchange/tags/client32" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>client32</span></a>.exe (NetSupport client) ➡️ reg.exe </p><p>Key details: <br>🔹 Uses a 'client32' process to run <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> and add it to autorun in registry via reg.exe <br>🔹 Creates an 'Options' folder in %APPDATA % if missing <br>🔹 NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%\Application .zip <br>🔹 Deletes ZIP files after execution </p><p>❗️ BAT droppers remain a common choice in attacks as threat actors continue to find new methods to evade detection. </p><p>Use <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a>’s Interactive Sandbox to quickly trace the full execution chain and uncover <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> behavior for fast and informed response. </p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.
Administered by:
Server stats:
490active users
101010.pl: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-beta.2
#client32
0 posts · 0 participants · 0 posts today
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload