ioc[.]one - OSINT Cyber Threat Intelligence Database

Cortex XDR™ Detects New Phishing Campaign Installing NetSupport Manager RAT

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 Malicious File - T1204.002 Msiexec - T1218.007 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Visual Basic - T1059.005 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	7e60ce3b-b20f-4c13-8918-30439b2dd5b9
Fingerprint	24104913fba589f5
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 27, 2020, 2 p.m.
Added to db	Jan. 18, 2023, 10:41 p.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Cortex XDR™ Detects New Phishing Campaign Installing NetSupport Manager RAT
Title	Cortex XDR™ Detects New Phishing Campaign Installing NetSupport Manager RAT
Detected Hints/Tags/Attributes	67/2/46

Source URLs

	Redirection	Url
Details	Source	https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	quickwaysignstx.com
Details	Domain	5	www.exemsi.com
Details	Domain	149	system.security
Details	Domain	228	system.io
Details	Domain	1	zskxkodpkk.read
Details	Domain	6	ms.seek
Details	Domain	3	afsasdfa33.xyz
Details	Domain	3	geo.netsupportsoftware.com
Details	Domain	396	protonmail.com
Details	Domain	25	www.cyberthreatalliance.org
Details	File	323	winword.exe
Details	File	1	%temp%\alpaca.bat
Details	File	73	view.php
Details	File	2125	cmd.exe
Details	File	1	alpaca.bat
Details	File	11	www.exe
Details	File	1	registrympzmzqyvxo.ps1
Details	File	4	cryptography.pas
Details	File	2	out-encryptedscript.ps1
Details	File	36	compression.gzip
Details	File	6	str.txt
Details	File	14	presentationhost.exe
Details	File	11	client32.ini
Details	File	6	htctl32.dll
Details	File	42	msvcr100.dll
Details	File	6	nskbfltr.inf
Details	File	5	nsm.ini
Details	File	6	pcicapi.dll
Details	File	6	pcichek.dll
Details	File	6	pcicl32.dll
Details	File	6	remcmdstub.exe
Details	File	6	tcctl32.dll
Details	File	1	lepo.php
Details	File	2	insghha4.txt
Details	File	6	fakeurl.htm
Details	File	27	client32.exe
Details	sha256	1	e9440a5d2dfe2453ae5b69a9c096f8d4cf9e059d469c5de67380d76e02dd6975
Details	sha256	1	68ca2458e0db9739258ce9e22aadd2423002b2cc779033d78d6abec1db534ac2
Details	sha256	1	41d27d53c5d41003bc9913476a3afd3961b561b120ee8bfde327a5f0d22a040a
Details	IPv4	1	94.158.245.182
Details	IPv6	8	::cbc
Details	Url	1	http://afsasdfa33.xyz/iplog/lepo.php?hst=
Details	Url	1	http://afsasdfa33.xyz/iplog/lepo.php?hst=%computername%
Details	Url	1	http://94.158.245.182/fakeurl.htm
Details	Windows Registry Key	188	HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Details	Windows Registry Key	582	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run