Smartapesg Script for Fake Browser Update Leads to Netsupport RAT and STEALC

    Wednesday, February 19, 2025 In: Threat Research Print

    Date: 02/19/2025

    Severity: High

    Summary

    SmartApeSG is also referred to as ZPHP or HANEYMANEY.

    Indicators of Compromise (IOC) List

    Domain\Urls : 

    https://cinaweine.shop/work/original.js

    https://cinaweine.shop/work/index.php?

    https://cinaweine.shop/work/assets/css/index.css

    https://cinaweine.shop/work/assets/img/microsoft.png

    https://cinaweine.shop/work/assets/js/index.js

    https://cinaweine.shop/work/assets/img/hero-img_desktop%203.png

    https://cinaweine.shop/work/assets/img/edge-bg.png

    https://poormet.com/lol.zip?&files=5606

    http://geo.netsupportsoftware.com/location/loca.asp

    http://194.180.191.229/fakeurl.htm

    http://62.164.130.69/

    http://62.164.130.69/651b5330b08aff3e.php

    http://62.164.130.69/16fcfdf0c5b3315a/sqlite3.dll

    http://62.164.130.69/16fcfdf0c5b3315a/freebl3.dll

    http://62.164.130.69/16fcfdf0c5b3315a/mozglue.dll

    http://62.164.130.69/16fcfdf0c5b3315a/msvcp140.dll

    http://62.164.130.69/16fcfdf0c5b3315a/nss3.dll

    http://62.164.130.69/16fcfdf0c5b3315a/softokn3.dll

    http://62.164.130.69/16fcfdf0c5b3315a/vcruntime140.dll

    IP Address : 

    194.180.191.229

    Hash :

    47f59d61beabd8f1dcbbdd190483271c7f596a277ecbe9fd227238a7ff74cbfc

b71f07964071f20aaeb5575d7273e2941853973defa6cb22160e126484d4a5d3

e9eb934dad3f87ee581df72af265183f86fdfad87018eed358fb4d7f669e5b7d

ff7e8ccc41bc3a506103bdd719a19318bf711351ac0e61e1f1cf00f5f02251d5

021bb478b704abb95ac2040061b7d47d8e4b491e6d2633adb010c3b8b08bb4f4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls :

    userdomainname like "http://194.180.191.229/fakeurl.htm" or url like "http://194.180.191.229/fakeurl.htm" or userdomainname like "https://cinaweine.shop/work/original.js" or url like "https://cinaweine.shop/work/original.js" or userdomainname like "http://geo.netsupportsoftware.com/location/loca.asp" or url like "http://geo.netsupportsoftware.com/location/loca.asp" or userdomainname like "https://cinaweine.shop/work/index.php?" or url like "https://cinaweine.shop/work/index.php?" or userdomainname like "https://cinaweine.shop/work/assets/css/index.css" or url like "https://cinaweine.shop/work/assets/css/index.css" or userdomainname like "https://cinaweine.shop/work/assets/img/microsoft.png" or url like "https://cinaweine.shop/work/assets/img/microsoft.png" or userdomainname like "https://cinaweine.shop/work/assets/js/index.js" or url like "https://cinaweine.shop/work/assets/js/index.js" or userdomainname like "https://cinaweine.shop/work/assets/img/hero-img_desktop%203.png" or url like "https://cinaweine.shop/work/assets/img/hero-img_desktop%203.png" or userdomainname like "https://cinaweine.shop/work/assets/img/edge-bg.png" or url like "https://cinaweine.shop/work/assets/img/edge-bg.png" or userdomainname like "https://poormet.com/lol.zip?&files=5606" or url like "https://poormet.com/lol.zip?&files=5606" or userdomainname like "http://62.164.130.69/" or url like "http://62.164.130.69/" or userdomainname like "http://62.164.130.69/651b5330b08aff3e.php" or url like "http://62.164.130.69/651b5330b08aff3e.php" or userdomainname like "http://62.164.130.69/16fcfdf0c5b3315a/sqlite3.dll" or url like "http://62.164.130.69/16fcfdf0c5b3315a/sqlite3.dll" or userdomainname like "http://62.164.130.69/16fcfdf0c5b3315a/freebl3.dll" or url like "http://62.164.130.69/16fcfdf0c5b3315a/freebl3.dll" or userdomainname like "http://62.164.130.69/16fcfdf0c5b3315a/mozglue.dll" or url like "http://62.164.130.69/16fcfdf0c5b3315a/mozglue.dll" or userdomainname like "http://62.164.130.69/16fcfdf0c5b3315a/msvcp140.dll" or url like "http://62.164.130.69/16fcfdf0c5b3315a/msvcp140.dll" or userdomainname like "http://62.164.130.69/16fcfdf0c5b3315a/nss3.dll" or url like "http://62.164.130.69/16fcfdf0c5b3315a/nss3.dll" or userdomainname like "http://62.164.130.69/16fcfdf0c5b3315a/softokn3.dll" or url like "http://62.164.130.69/16fcfdf0c5b3315a/softokn3.dll" or userdomainname like "http://62.164.130.69/16fcfdf0c5b3315a/vcruntime140.dll" or url like "http://62.164.130.69/16fcfdf0c5b3315a/vcruntime140.dll"

    IP Address :

    		dstipaddress like "194.180.191.229" or ipaddress like "194.180.191.229" or publicipaddress like "194.180.191.229" or srcipaddress like "194.180.191.229"

    Hash :

    sha256hash IN ("b71f07964071f20aaeb5575d7273e2941853973defa6cb22160e126484d4a5d3","e9eb934dad3f87ee581df72af265183f86fdfad87018eed358fb4d7f669e5b7d","ff7e8ccc41bc3a506103bdd719a19318bf711351ac0e61e1f1cf00f5f02251d5","47f59d61beabd8f1dcbbdd190483271c7f596a277ecbe9fd227238a7ff74cbfc","021bb478b704abb95ac2040061b7d47d8e4b491e6d2633adb010c3b8b08bb4f4")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt


    Tags

    RATSmartApeSGNETSUPPORTSTEALC

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.