MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123
SHA3-384 hash: f8b05ee20dae25b237f443ee2a389836d66db39af073b294ab977078d723eae381d08a18a0115e67a8a627743deb9d18
SHA1 hash: f65ab7270f297c572a30650c6941dea145cd83f1
MD5 hash: 2aa4741c22f4f7e9f7fb2318e974649c
humanhash: romeo-bravo-illinois-steak
File name:HHYGASDBBBX.hta
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'262'682 bytes
First seen:2023-07-24 14:50:17 UTC
Last seen:2023-07-24 17:34:18 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3072:XMyG1hNUveUzpkVDbffRhyTcVWRda4Ynq/gQ:XMJvzU6xffrMckdabq/gQ
TLSH T12745DB38397A7C2443DBDA1334F14B961CE9564FD1703A3B199AD8239A346C265B22FF
Reporter rmceoin
Tags:conluase62-com FakeSG hta NetSupport


Avatar
rmceoin
Infection chain
compromised site
-->
google-analytiks.com/sBY76j
-->
esteticalocarno.com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
-->
http://185.252.179.64:80/Downloads/shdeulerinstall.lnk
-->
www.esteticalocarno.com/wp-content/uploads/2018/04/HHYGASDBBBX.hta
-->
NetSupport GatewayAddress conluase62.com:5051

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-94.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123/results/dashboard
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Malicious
Labled as:
VBS:Electryon.308
Link:
https://www.hybrid-analysis.com/sample/069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1278397
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suspicious command line found
Suspicious powershell command line found
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278397 Sample: HHYGASDBBBX.hta Startdate: 24/07/2023 Architecture: WINDOWS Score: 72 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 8 mshta.exe 19 2->8         started        process3 signatures4 29 Suspicious powershell command line found 8->29 31 Very long command line found 8->31 11 powershell.exe 13 8->11         started        process5 signatures6 33 Very long command line found 11->33 35 Suspicious command line found 11->35 37 Found suspicious powershell code related to unpacking or dynamic code loading 11->37 14 cmd.exe 1 11->14         started        17 conhost.exe 11->17         started        process7 signatures8 39 Suspicious powershell command line found 14->39 41 Very long command line found 14->41 19 powershell.exe 5 14->19         started        21 powershell.exe 3 14->21         started        23 conhost.exe 14->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 14:51:06 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
7 of 25 (28.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2nmdbhybovdz3mgfvtqijknk6mqngn5vfs2tpgcvcns3c3byerq._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230724-r757naeh61/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
NetSupport
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/069ac184f80b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

NetSupport

6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31

NetSupport

Shortcut (lnk) lnk 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef

NetSupport

HTML Application (hta) hta 069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123

(this sample)

  
Link
https://infosec.exchange/@rmceoin/110769270597487875
  
Dropped by
SHA256 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2688982/
  
Dropped by
MD5 fcfd7e25e415f1d9ee598ab41ca31840

Comments