MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9
SHA3-384 hash: dcfdf41c056b8ad000c4da11f398df87a717d8f8aedfcefa1317d712b6d3d91fc0a8ceb25883b7f4bba98cc173acd499
SHA1 hash: a2b0d310fe8acb98d21ab9ffb7dac7cdcedf5348
MD5 hash: 778740fde9b90b9dba00950061087e9a
humanhash: stairway-magnesium-winter-may
File name:778740fde9b90b9dba00950061087e9a.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'369'048 bytes
First seen:2021-05-07 23:16:06 UTC
Last seen:2021-05-08 13:11:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:2ciTOmuJBYAZW7hHw1S7j9GbpDSSJicPZQk6iu:GTOFkAZW7hyS7j9GpzIyQX
Threatray 535 similar samples on MalwareBazaar
TLSH 7EF53301BBC6A4B2D176AE364C45B705467974102F11DB9AE7882DACEE74960333AFB3
Reporter abuse_ch
Tags:coinduck.duckdns.org exe Knassar DK ApS NetSupport


Avatar
abuse_ch
NetSupport C2:
62.173.140.217:1337

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.173.140.217:1337 https://threatfox.abuse.ch/ioc/32789/

Intelligence

File Origin
# of uploads :
3
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Voice.exe
Verdict:
Malicious activity
Analysis date:
2021-05-04 07:12:26 UTC
Tags:
netsupport unwanted
Link:
https://app.any.run/tasks/fae93671-8be4-47c0-b94b-4728f17ac32c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/152852/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Sending a UDP request
Creating a file
Deleting a recently created file
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/717223
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 22:38:52 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=agiqxxnmx4xkq6fuq7ot37bm7pvl6gr5xkkdbg2kqte6nnfuv7eq._file
Verdict:
suspicious
Similar samples:
07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
NetSupport
3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389
NetSupport
46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd
NetSupport
68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345
NetSupport
86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b
NetSupport
9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3
NetSupport
ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91
NetSupport
c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3
NetSupport
fd8d8b2d1513fe8e59d21e96e5f66695bbca33b6f4f9b1561136196db97b9bde
NetSupport
fe271b4266e4d1da6cd411a99f35ef14bba6e93354d43f4b790008d9222e0ba7
NetSupport
+ 525 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/210507-8sy6x1pvyj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
904f3e825cbb7d41b9e9b3eb1b58a9a269df751738ba58ebecba74e8aa9e0294
MD5 hash:
c622b0970f4d2e3146bb00840cef3e5a
SHA1 hash:
22edbc60da2bcaec3ccc14cb729e8e12e4b2eb93
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
4abeefc1de4cd4a873062443a45b41fde65aefeae577af74acd324d374f2bddb
MD5 hash:
bc4edcc9345b165a693279401437bae5
SHA1 hash:
3b17f767b400fd56fe00fe7f5c30e02bcc6c8b6b
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
baefe83e992c40a811c6587b3f8217dfc8ff8dc2536414246aef752457b30310
MD5 hash:
8db1d5718bd225ac56f0d5bd44069a73
SHA1 hash:
fe30947c90acd685d0145912556ea3b8a1398a9c
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
30c0a2aae0673d18ae89607a817ea811c68765b71ad6625e4b2ff8cdaeb6d7dc
MD5 hash:
1819fe94e88334494aacc2a0f1ce569e
SHA1 hash:
fa5c75c094db97c7d8b89e5f520e555202705489
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
bf7a80223df33f6f942774ee2bb510a17f3cc69ac57bc5f6c3ec41d8186106e1
MD5 hash:
d631780dde30af7d14db7952524e443f
SHA1 hash:
f9cea385f6f5c5ddb7f319f1686da414fc47f320
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
f5e8d0780c274e41fb1357767163448ac3615ffef7c6b88c4bc91fed18b735be
MD5 hash:
91edcf3e07f3cd9e87906f5e880c75cf
SHA1 hash:
78e6fdc303d4b72c16a7c241ca92f8fc16e58e66
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
963b3ecfe74e86dcd2d4287fdfd3ac61770ea7cb75d0400777a62b98602e5641
MD5 hash:
129de0c1b90b6721a690054356ee495f
SHA1 hash:
6d61e52d622a9d5d6f8112468c36cdd7c5d1717e
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
004ac9f6a6f12c2758ecf83e01cbb8bce8504d34677356daf4e3f5193f392bb1
MD5 hash:
f92dc492121bb67c3889c95162feda66
SHA1 hash:
11167f4a28ee378b7cdd520018a6ea0abbff20fa
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
SH256 hash:
01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9
MD5 hash:
778740fde9b90b9dba00950061087e9a
SHA1 hash:
a2b0d310fe8acb98d21ab9ffb7dac7cdcedf5348
Link:
https://www.unpac.me/results/2b85da25-da00-476b-a88e-47e3f79a0be5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/152852/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-08 00:02:12 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
4) [C0032.001] Data Micro-objective::CRC32::Checksum
5) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
7) [F0004.007] Defense Evasion::Bypass Windows File Protection
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0051] File System Micro-objective::Read File
14) [C0050] File System Micro-objective::Set File Attributes
15) [C0052] File System Micro-objective::Writes File
16) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
17) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
20) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
21) [C0040] Process Micro-objective::Allocate Thread Local Storage
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0041] Process Micro-objective::Set Thread Local Storage Value
25) [C0018] Process Micro-objective::Terminate Process