netsupport_07112018

1. # Malvertising @ cobalten[.]com (Propeller Ads Media)
2. # Drops NetSupport RAT
3.  
4. # Links:
5. https://app.any.run/tasks/9de1c3d6-745d-4b89-b653-f8f4414a40f1
6. https://www.virustotal.com/#/file/2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e/detection
7.  
8. # Bro HTTP chain
9. x.x.x.x 49200 216.70.123.70 80 1 GET www.mareiro.com.br / https://www.google.com/ Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, l
10. ike Gecko) Chrome/67.0.3396.99 Safari/537.36 0 0 301 Moved Permanently - - - (empty) - - - - - - -
11.  
12.  
13. x.x.x.x 49288 188.72.213.176 80 1 GET cobalten.com /apu.php?zoneid=1579538 http://mareiro.com.br/ Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 0 84396 200 OK - - - (empty) - - - - - text/plain
14.  
15.  
16. x.x.x.x 49450 192.81.213.95 80 1 GET 192.81.213.95 /pag333/index.php?bemobdata=c=841fc6ae-a1a6-4507-99e9-3ead215e0e39..a=0..b=0..r=http%3A%2F%2Fcobalten.com%2Fafu.php%3Fzoneid%3D1407888%26var%3D1579538 http://cobalten.com/afu.php?zoneid=1407888&var=1579538 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 0 682 200 OK - - - (empty) - - - - - text/html
17.  
18. x.x.x.x 49455 192.81.213.95 80 3 GET 192.81.213.95 /kaleaesd/lnstal_v10.7.0.0.5.zip http://192.81.213.95/pag333/index.php?bemobdata=c%3D841fc6ae-a1a6-4507-99e9-3ead215e0e39..a%3D0..b%3D0..r%3Dhttp%253A%252F%252Fcobalten.com%252Fafu.php%253Fzoneid%253D1407888%2526var%253D1579538 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 0 609162 200 OK - - - (empty) - - - - - application/zip