Obfuscated BAT Dropper Delivers NetSupport RAT

By /

Listen to this Post

Featured Image

Execution Chain Analysis

The attack follows this pattern:

`cmd.exe (BAT) ➡️ PowerShell ➡️ PowerShell ➡️ client32.exe ➡️ reg.exe`

Key Tactics:

  • Uses client32.exe to execute NetSupport RAT
  • Persists via reg.exe registry modifications
  • Creates an `Options` folder in `%APPDATA%` if missing
  • Downloads, extracts, and executes a malicious ZIP from `%APPDATA%\Application.zip`
  • Deletes ZIP files post-execution for cleanup

You Should Know:

Detection & Hunting (KQL Query)

Use this Microsoft Defender XDR KQL query to hunt for similar BAT droppers:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe" 
| where FileName in~ ("powershell.exe", "client32.exe", "reg.exe")
| where ProcessCommandLine has_any ("%APPDATA%", "Application.zip")
| project Timestamp, DeviceName, FileName, ProcessCommandLine

GitHub Source

Sandbox Analysis

Mitigation Commands

Windows:

 Check for suspicious registry entries
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /s | findstr "client32"

Delete malicious files
Remove-Item -Path "$env:APPDATA\Application.zip" -Force
Remove-Item -Path "$env:APPDATA\Options" -Recurse -Force

Linux (Wine/Cross-Platform Analysis):

 Monitor process chain (requires auditd)
sudo auditctl -a exit,always -F arch=b64 -S execve -k bat_dropper

Extract BAT script strings
strings malicious.bat | grep -E "powershell|client32|reg.exe"

What Undercode Say

BAT droppers remain a low-tech but effective evasion method. Key takeaways:

1. Monitor `cmd.exe` spawning PowerShell with unusual arguments.

2. Block ZIP executions from `%APPDATA%` via AppLocker.

3. Audit registry modifications (`reg.exe`) post-PowerShell execution.

Prediction: Expect more multi-stage obfuscation combining BAT, PowerShell, and living-off-the-land binaries (LOLBins) like reg.exe.

Expected Output:

  • Detected: `cmd.exe` → `powershell.exe` → `client32.exe`
  • Mitigation: Registry cleanup + file deletion
  • Hunting: KQL query + sandbox analysis

IT/Security Reporter URL:

Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: