ANY.RUNJun 5, 2025

๐Ÿšจ #Obfuscated BAT file used to deliver NetSupport RAT

At the time of the analysis, the sample had not yet been submitted to #VirusTotal โš ๏ธ

๐Ÿ‘จโ€๐Ÿ’ป See sandbox session: https://app.any.run/tasks/db6fcb53-6f10-464e-9883-72fd7f1db294?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_bat_file&utm_content=linktoservice&utm_term=050625

๐Ÿ”— Execution chain:
cmd.exe (BAT) โžก๏ธ #PowerShell โžก๏ธ PowerShell โžก๏ธ #client32.exe (NetSupport client) โžก๏ธ reg.exe

Key details:
๐Ÿ”น Uses a 'client32' process to run #NetSupport #RAT and add it to autorun in registry via reg.exe
๐Ÿ”น Creates an 'Options' folder in %APPDATA % if missing
๐Ÿ”น NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%\Application .zip
๐Ÿ”น Deletes ZIP files after execution

โ—๏ธ BAT droppers remain a common choice in attacks as threat actors continue to find new methods to evade detection.

Use #ANYRUNโ€™s Interactive Sandbox to quickly trace the full execution chain and uncover #malware behavior for fast and informed response.

#cybersecurity #infosec