MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 079a241c6823b3b60bc10eb136434853d48b552a2d274fa43df6c493e01b64f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 079a241c6823b3b60bc10eb136434853d48b552a2d274fa43df6c493e01b64f4
SHA3-384 hash: c75d1a76bf342f94751f35fce802a4e221bb8d2d2ddae52477dd92ee091d01850dfb5c67cdaf7ba7c8eb4527ea80d56c
SHA1 hash: 62b0f52d1d14f5cb744fe3dbe2a08e222a07e1cd
MD5 hash: faa6de8d4af45c2dc8280bd6add77210
humanhash: venus-bulldog-september-winter
File name:faa6de8d4af45c2dc8280bd6add77210.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'017'492 bytes
First seen:2022-01-05 15:41:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep 49152:9deRglK/V+UA15JEKnBPEDY08BTGvSNESvgs:90RH/VxgEKneY/BTXNESos
Threatray 248 similar samples on MalwareBazaar
TLSH T136953383B3E758F9D6663731ADF67B51C0BBFA38297364858B13065D39259C29A08F03
File icon (PE):PE icon
dhash icon 70e1e97171f47069 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
46.17.106.230:3543

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.17.106.230:3543 https://threatfox.abuse.ch/ioc/291389/

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
faa6de8d4af45c2dc8280bd6add77210.exe
Verdict:
Malicious activity
Analysis date:
2022-01-05 15:45:17 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/6adab500-09d7-435c-8e95-b550df63ddfd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetSupport
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217461/
Detection(s):
SecuriteInfo.com.FakeAV.ADRB.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
DNS request
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a window
Searching for the window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware netsupportmanager overlay packed remoteadmin
Link:
https://www.filescan.io/uploads/61d5bc4cbfe53d318f27d51e/reports/2ca6c6d5-c199-4857-843c-25fc977e7d66/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72e550f6-24f9-4a87-b445-849633283456
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/915897
Signature
Delayed program exit found
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/079a241c6823b3b60bc10eb136434853d48b552a2d274fa43df6c493e01b64f4/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-11-04 00:11:00 UTC
File Type:
PE (Exe)
Extracted files:
460
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6ncihdieoz3mc6bb2ytmq2ikpkiwvjkfutu7jb563cjhya3mt2a._file
Verdict:
malicious
Similar samples:
17264370c9ff4397dd46337197a100b74a656b65718b6db9f3fd5a3a1bbeceb6
NetSupport
2bc947ba8cdd40b69936dbe365357961bdc99eb38fe999d9b906d10c5325a10e
NetSupport
39f85df74587155e28ea24e89d30dff0686c1f849df32b0a08a8c9838b623731
NetSupport
46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd
NetSupport
8075a6c09ff4c8e8637128dc8500d59fc6b2e24fcfe34b7bc782c079f10428fa
NetSupport
98d74cdbcf31e2166ee1beca480bb0110278ab7ae76a5355d5fd6d63b909f101
NetSupport
9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3
NetSupport
b7e88d00739d77f482b500b254c222ae19171e68a5cd574eaee7b43f0cf79f1d
NetSupport
+ 238 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/220105-s5b2gaaeb7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
2f7156ef8bb3eda4d82bf5152133f5b9547fbf31ff8106943c5911da2644d8a0
MD5 hash:
4f110b0c4842d762c1d3a5790bdc76c7
SHA1 hash:
b4120866efb0ec843f23231c3cced13220d9196c
Link:
https://www.unpac.me/results/17442cb5-6b13-4066-a63e-084e50e32087/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/17442cb5-6b13-4066-a63e-084e50e32087/
SH256 hash:
934ba424145cb9a41f8e875a7ce9a3543d73a4c6ee11b91549f545395eb04027
MD5 hash:
0a87eb64650ae82f41281a1d8cbb8d5e
SHA1 hash:
d606cadf27a72bacb20918b1be3aa5351788d3ae
Link:
https://www.unpac.me/results/17442cb5-6b13-4066-a63e-084e50e32087/
SH256 hash:
10987c94d1e5b6175ffdd091507985270dcf38504df69745bee7f1400ba84f56
MD5 hash:
ea50603323772bb62808661df845c3ce
SHA1 hash:
74197a26375a0cd146be72388b44cda191f05aed
Link:
https://www.unpac.me/results/17442cb5-6b13-4066-a63e-084e50e32087/
SH256 hash:
1e4d6363e2e9d31e24a36caa382a431b365a0f31460b95f0fdd8892503dd1f93
MD5 hash:
61623521aee12d54c847a36fd9389915
SHA1 hash:
4dec6e630f557d17fc10b31d5b51e67e9f09b327
Link:
https://www.unpac.me/results/17442cb5-6b13-4066-a63e-084e50e32087/
SH256 hash:
96a93b78a15489363dd1a8bdcc76d0fc2093674601a2b9257100162c76af9eb5
MD5 hash:
f25787aed801709acc9ae81e8d6429a6
SHA1 hash:
25c650404f20796b3c9515effdcfa814d856ad3e
Link:
https://www.unpac.me/results/17442cb5-6b13-4066-a63e-084e50e32087/
SH256 hash:
079a241c6823b3b60bc10eb136434853d48b552a2d274fa43df6c493e01b64f4
MD5 hash:
faa6de8d4af45c2dc8280bd6add77210
SHA1 hash:
62b0f52d1d14f5cb744fe3dbe2a08e222a07e1cd
Link:
https://www.unpac.me/results/17442cb5-6b13-4066-a63e-084e50e32087/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/079a241c6823b3b60bc10eb136434853d48b552a2d274fa43df6c493e01b64f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217461/

Comments