File name:	Update4629.js
Full analysis:	https://app.any.run/tasks/0a43c093-2a4d-4003-a387-8f0e7e2a07a5
Verdict:	Malicious activity
Threats:	NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. Malware Trends Tracker >>>
Analysis date:	February 12, 2025, 17:09:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netsupport remote unwanted tool arch-exec
Indicators:
MIME:	application/javascript
File info:	JavaScript source, ASCII text, with very long lines (463)
MD5:	466B801AB6EA79A55E9E7C2B4AD8A03B
SHA1:	D907974C2D928B5CD206F68ABCF700FCCDA294F3
SHA256:	0B02335EC9C7F824917C30B76C991345768BFA3E2A09D7EC6F2D65EF84B23EF5
SSDEEP:	12288:wum1wz4FL5dM2f8f3ue1wz4FL5dM2f8fl:OCz4F9dM2f8frCz4F9dM2f8fl


(PID) Process:	(6492) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6492) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6492) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6492) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 0100000000000000FFD099F0707DDB01
(PID) Process:	(6492) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6872) client32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6872) client32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6492) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: E7D4130000000000
(PID) Process:	(6872) client32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7016) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithProgids
Operation:	write	Name:	Paint.Picture
Value:

PID	Process	Filename		Type
6492	wscript.exe	C:\ProgramData\l6f577h9\comcat.dll		executable
		MD5:835FF05A3F5E16E0FE41E515EA398BD4	SHA256:8DCFB1E6AA965DF4BD4C0551D03BDFD6472C80219ADA4671910958688FBB4AB6
6492	wscript.exe	C:\ProgramData\l6f577h9\HTCTL32.DLL		executable
		MD5:3EED18B47412D3F91A394AE880B56ED2	SHA256:13A17F2AD9288AAC8941D895251604BEB9524FA3C65C781197841EE15480A13F
6492	wscript.exe	C:\ProgramData\l6f577h9\mprext.dll		executable
		MD5:0EABD6AB464758F058FC039A47F61750	SHA256:F96E8D99B736E4CE7997BB1DE65D88C32E16F1F725D8BD98F52C39A02969FD87
6492	wscript.exe	C:\ProgramData\l6f577h9\client32.exe		executable
		MD5:1C19C2E97C5E6B30DE69EE684E6E5589	SHA256:312A0E4DB34A40CB95BA1FAC8BF87DEB45D0C5F048D38AC65EB060273B07DF67
6492	wscript.exe	C:\ProgramData\l6f577h9\ifsutilx.dll		executable
		MD5:27A7213091CDA31E84967BEAD4D29BD1	SHA256:42214053995B6188B2E20935CA8C92AF77639F0D5541A132920A5CBA2CFCBDE6
6492	wscript.exe	C:\ProgramData\l6f577h9\nskbfltr.inf		binary
		MD5:26E28C01461F7E65C402BDF09923D435	SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
6492	wscript.exe	C:\ProgramData\l6f577h9\neth.dll		executable
		MD5:26BF659DC283CD389BAAD0CA54C1ABCA	SHA256:AD2310E7F3BA73C29872A14826F6A5118765A4C6B67A57168A336C05365DD152
6492	wscript.exe	C:\ProgramData\l6f577h9\msidle.dll		executable
		MD5:B1C1BB1EF2AC2D739AEAED77C33C1848	SHA256:CD8D7CAEBFEB4EB9124BA3E025AFF68DDE554A8DD6B3365654BF936200C4E563
6492	wscript.exe	C:\ProgramData\l6f577h9\msvcr100.dll		executable
		MD5:0E37FBFA79D349D672456923EC5FBBE3	SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
6492	wscript.exe	C:\ProgramData\l6f577h9\KBDTAM99.DLL		executable
		MD5:CCC736781CF4A49F42CD07C703B3A18B	SHA256:000C4B5B50966634DF58078511794F83690D693FCCF2ACA5C970C20981B29556

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
444	svchost.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
444	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6872	client32.exe	POST	502	5.181.159.62:443	http://5.181.159.62/fakeurl.htm	unknown	—	—	malicious
—	—	OPTIONS	204	3.233.129.217:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RU&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	—
6872	client32.exe	GET	200	104.26.1.231:80	http://geo.netsupportsoftware.com/location/loca.asp	unknown	—	—	malicious
—	—	GET	200	23.35.236.137:443	https://geo2.adobe.com/	unknown	text	48 b	whitelisted
—	—	GET	200	52.6.155.20:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RU&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	binary	187 b	whitelisted
—	—	POST	200	185.33.84.132:443	https://activekala.shop/work/file.php?fd=76&if=732	unknown	text	2.30 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
444	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.19.122.20:443	—	Akamai International B.V.	DE	unknown
4712	MoUsoCoreWorker.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
444	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
6492	wscript.exe	185.33.84.132:443	activekala.shop	HZ Hosting Ltd	US	unknown
444	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
google.com	142.250.185.174	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
activekala.shop	185.33.84.132	unknown
www.microsoft.com	2.23.246.101	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
geo.netsupportsoftware.com	104.26.1.231 172.67.68.212 104.26.0.231	unknown
geo2.adobe.com	23.35.236.137	whitelisted
p13n.adobe.io	52.6.155.20 3.219.243.226 52.22.41.97 3.233.129.217	whitelisted
self.events.data.microsoft.com	51.104.15.253	whitelisted
armmf.adobe.com	23.35.228.137	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET REMOTE_ACCESS NetSupport Remote Admin Checkin
6872	client32.exe	Potentially Bad Traffic	ET INFO HTTP traffic on port 443 (POST)
6872	client32.exe	A Network Trojan was detected	REMOTE [ANY.RUN] NetSupport RAT
6872	client32.exe	Misc activity	ET REMOTE_ACCESS NetSupport Remote Admin Checkin
6872	client32.exe	Potential Corporate Privacy Violation	ET REMOTE_ACCESS NetSupport GeoLocation Lookup Request

General Info

Update4629.js

466B801AB6EA79A55E9E7C2B4AD8A03B

D907974C2D928B5CD206F68ABCF700FCCDA294F3

0B02335EC9C7F824917C30B76C991345768BFA3E2A09D7EC6F2D65EF84B23EF5

12288:wum1wz4FL5dM2f8f3ue1wz4FL5dM2f8fl:OCz4F9dM2f8frCz4F9dM2f8fl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Creates a new registry key or changes the value of an existing one (SCRIPT)

Creates a new folder (SCRIPT)

Creates internet connection object (SCRIPT)

Opens an HTTP connection (SCRIPT)

Accesses environment variables (SCRIPT)

Checks whether a specified folder exists (SCRIPT)

Sends HTTP request (SCRIPT)

Modifies registry startup key (SCRIPT)

Deletes a file (SCRIPT)

NETSUPPORT mutex has been found

NETSUPPORT has been detected (SURICATA)

NETSUPPORT has been detected (YARA)

Connects to the CnC server

SUSPICIOUS

Writes binary data to a Stream object (SCRIPT)

Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

Saves data to a binary file (SCRIPT)

Creates a Folder object (SCRIPT)

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Drop NetSupport executable file

Creates FileSystem object to access computer's file system (SCRIPT)

Gets full path of the running script (SCRIPT)

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

INFO

Checks proxy server information

Creates files in the program directory

The sample compiled with english language support

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Manual execution by a user

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Application launched itself

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events