MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10cb4b192833f0670c4ec6fa05898ac776862e22d7370787d6ddb915b7777bdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10cb4b192833f0670c4ec6fa05898ac776862e22d7370787d6ddb915b7777bdb
SHA3-384 hash: 7ee94a6f24f0e5de52818b357a9df454f3ffa8314dd2313077a3c64a3b1a78e5538023821a462585229eca22c79cc6b5
SHA1 hash: fdd2b31bbf3320d31aa3eb6e67eada9d15bc88fb
MD5 hash: 5978ee8fc33a5f8ee35731e3ed54d4dc
humanhash: angel-salami-nineteen-sink
File name:5978ee8fc33a5f8ee35731e3ed54d4dc.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:26'280'770 bytes
First seen:2022-09-21 07:11:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d23703a6f12b30c40e0b3bc256b113cd (2 x NetSupport, 1 x Blackmoon, 1 x ValleyRAT)
ssdeep 786432:MHwiu9WM+JVjjS++8yOvSAoeykWVLI5+YDmdc4s:MHwvWnJVjjptvToeykWV851Cw
TLSH T12B471220764AC43BCA6701B11D3CDA9F517CAE661BB154C7B3CC2E6E1AB55C21732E2B
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter abuse_ch
Tags:alle13net1-com exe NetSupport


Avatar
abuse_ch
NetSupport C2:
176.124.216.31:5511

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.124.216.31:5511 https://threatfox.abuse.ch/ioc/850856/

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
5978ee8fc33a5f8ee35731e3ed54d4dc.exe
Verdict:
Malicious activity
Analysis date:
2022-09-21 07:11:55 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/a577c43f-9a39-43f5-92db-0a4683a2a998

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware msiexec.exe overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/632ab960e64c53f047fa2880/reports/19dcdd40-5523-4c5d-bc88-a428334c8eb8/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1074364
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 706903 Sample: iDyC9N8FCE.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 72 36 alle13net1.com 2->36 38 www-bing-com.dual-a-0001.a-msedge.net 2->38 40 3 other IPs or domains 2->40 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Babadeda 2->48 7 msiexec.exe 121 149 2->7         started        10 iDyC9N8FCE.exe 172 2->10         started        signatures3 process4 file5 20 C:\Windows\Installer\MSIF900.tmp, PE32 7->20 dropped 22 C:\Windows\Installer\MSIF5A4.tmp, PE32 7->22 dropped 24 C:\Windows\Installer\MSIF351.tmp, PE32 7->24 dropped 32 107 other files (none is malicious) 7->32 dropped 12 msiexec.exe 7->12         started        14 msiexec.exe 7->14         started        16 gwspro.exe 7->16         started        26 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 10->26 dropped 28 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\Roaming\...\wthnl.dll, PE32 10->30 dropped 34 105 other files (none is malicious) 10->34 dropped 18 msiexec.exe 2 10->18         started        process6
Gathering data
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 20:52:39 UTC
File Type:
PE (Exe)
Extracted files:
1545
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdfuwgjigpygodcoy35alcmky53imlrc243qpb6w3w4rln3xppnq._file
Verdict:
malicious
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:babadeda family:netsupport crypter loader rat
Link:
https://tria.ge/reports/220921-h1hncabcam/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Maps connected drives based on registry
Drops startup file
Loads dropped DLL
Executes dropped EXE
Babadeda
Babadeda Crypter
NetSupport
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8ab74ba8-0936-4207-970c-fad2aba159d6
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10cb4b192833/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10cb4b192833f0670c4ec6fa05898ac776862e22d7370787d6ddb915b7777bdb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments