MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10fcf8da6000e34f9e8b8b173b6f8a65b6128e2422db510a52902648f51f9461. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10fcf8da6000e34f9e8b8b173b6f8a65b6128e2422db510a52902648f51f9461
SHA3-384 hash: 5567e86b5bb5c399d32cb32bd9eab527d504b6a374b3fbe329b5203e9fc681c5ef68cb16b18a09b34e45fd3af8eea812
SHA1 hash: 9e95ab36804c0a0093754c3bd1a11097c5835896
MD5 hash: 47fb4ab2b3105fd6e0a14d07429ee557
humanhash: alanine-delta-paris-princess
File name:10FCF8DA6000E34F9E8B8B173B6F8A65B6128E2422DB5.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:5'964'486 bytes
First seen:2021-06-24 22:26:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 98304:3ZYNIUvHb7JJLm/FjbpV85fiYAQTYxXWalFhh/l+5WKpdmLTe21F4K45MUjCAPtM:3kJfPK/FHz85KYAQTeFh2VmPe2kziUji
Threatray 605 similar samples on MalwareBazaar
TLSH 9C563331F4860172D66248320E6C969CB06EBD941CD1996FE7CD3D6D4B7A063722BFE2
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
192.169.69.25:1893

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:1893 https://threatfox.abuse.ch/ioc/153499/

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
10FCF8DA6000E34F9E8B8B173B6F8A65B6128E2422DB5.exe
Verdict:
Malicious activity
Analysis date:
2021-06-24 22:29:57 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/90b2567b-4ed7-4cda-8b23-26397d0f1183

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168167/
Detection(s):
Win.Malware.Generic-9872030-0
Create hunting rule

Win.Malware.Generic-9874383-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Backdoor.tc.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46b46395-36fe-4a18-ac5d-516d0bcc038c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807812
Signature
Antivirus / Scanner detection for submitted sample
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440223 Sample: 10FCF8DA6000E34F9E8B8B173B6... Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Uses dynamic DNS services 2->43 45 Uses known network protocols on non-standard ports 2->45 7 10FCF8DA6000E34F9E8B8B173B6F8A65B6128E2422DB5.exe 8 2->7         started        10 client32.exe 2->10         started        process3 file4 21 C:\Users\user\AppData\...\WinSupport.exe, PE32 7->21 dropped 12 WinSupport.exe 67 7->12         started        process5 dnsIp6 37 192.168.2.1 unknown unknown 12->37 23 C:\Users\user\AppData\Roaming\...\pcisys.sys, PE32 12->23 dropped 25 C:\Users\user\AppData\Roaming\...\nspscr.sys, PE32 12->25 dropped 27 C:\Users\user\AppData\...\nskbfltr.sys, PE32 12->27 dropped 29 42 other files (2 malicious) 12->29 dropped 55 Sample is not signed and drops a device driver 12->55 17 client32.exe 9 21 12->17         started        file7 signatures8 process9 dnsIp10 31 speedsupport.duckdns.org 192.169.69.25, 1893, 49737, 49741 WOWUS United States 17->31 33 geography.netsupportsoftware.com 195.171.92.116, 49738, 80 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 17->33 35 geo.netsupportsoftware.com 17->35 47 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 17->47 49 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->49 51 Query firmware table information (likely to detect VMs) 17->51 53 6 other signatures 17->53 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10fcf8da6000e34f9e8b8b173b6f8a65b6128e2422db510a52902648f51f9461/
Threat name:
Win32.PUA.Presenoker
Create hunting rule
Status:
Malicious
First seen:
2018-09-24 02:43:50 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cd6prwtaadru7hulrmltw34kmw3bfdreelnvccsssater5i7srqq._file
Verdict:
malicious
Similar samples:
07d34ae6bb632f04345eb39f5b4221f9a7e37145c55350222fcf191778a28d5e
NetSupport
0af65c358ae4d3f9db0fc6229e3fd6451c80b6143e0cfb56bdba9d36621ed584
NetSupport
31960e88d4d665dffd9121c10a7a2e23daf2557ee5a3ca24d4f8263e28abc01f
NetSupport
46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd
NetSupport
77146703fc5c722e50ccc571bcfcf55278f5cc86574f4b470ed382bf66447945
NetSupport
a431e9a19e85223c02ac9f8c68e9b5ec86168c004c87646907d6267bbb3c94b6
NetSupport
fa2305975aded0fd0601fdab3013f8877969cb873fb9620b4d65ac6ff3b25522
NetSupport
fbde44031b8acd00f624403184405b3fcf572c220c321ec82c29e7f9c3cbc233
NetSupport
fd8d8b2d1513fe8e59d21e96e5f66695bbca33b6f4f9b1561136196db97b9bde
NetSupport
fe271b4266e4d1da6cd411a99f35ef14bba6e93354d43f4b790008d9222e0ba7
NetSupport
+ 595 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/210624-2taysy71ja/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
79465e931309ddb5acadcb2da9745197e1f2979af753c8c5c19eda06dbf88093
MD5 hash:
40400afa3e4a9750b0561139867460d2
SHA1 hash:
da7bb84772ea5bd4ab597899c2d4f187725ccfea
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
11d565456f3bd156239ea73aef4c45311fb5e47c1f4c5541f43b3c4241195310
MD5 hash:
99ee1c388b933aff94acdf44178bc436
SHA1 hash:
e20a2eab19c9aa980ec124523ce83f603eddaba3
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
937d47eedb692905e8a5a5d9709903d3cc7d3cdbb15757f5238b5de55305801b
MD5 hash:
9c847bb1bbcf4a32bb7509b4ab2ccf0c
SHA1 hash:
802648c407df8c0c908d29cf9502bd5d2d751e6a
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
af6b259fbcdf021ae1529648fb106ebe86ddfc7e3bdb2704a47d31728e4950bf
MD5 hash:
d7c363930392779686ba5aa775a5822a
SHA1 hash:
7438bba01fd95d90a22e3d6f4ad4272eef45508e
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
fc627ad158394bbb457deb328b01a00b8a0419a683602a651c2d7dd21da5fccd
MD5 hash:
7559035d2915dd8b3bd5332297328160
SHA1 hash:
71a20a2f06e838a5bc7450583c780a0277a6a50b
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
48bc688d69d9904d03274f1016d7416b725f61e69469da78e260d674f26a0bfd
MD5 hash:
2169fb50538283ae68e22a07c605e754
SHA1 hash:
63b08dd8295a6d5ec336175631e0a20128457728
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
7545ac911aac7fa661ea74221aaf1ee8070471a938fddda09db2814b875ea28f
MD5 hash:
ec1ecc9dbc69959b80d3696b668dca17
SHA1 hash:
569c7e38017207aa2ff9cbe3319001a1aaaf21ff
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
6e05df593a2d0703c7729a864ba45d8b8e2574469195058efaa1ab899e95b813
MD5 hash:
8d7c8a3a2ad69bab660a2e56a9a7f626
SHA1 hash:
2c96e1d689ae80b62b78f9c63b5a68ab4bb8a63e
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
31a174ad78f61390e48e27e38a633816d2ef14d1b27986958ac8463c72cb43c6
MD5 hash:
8bcebfa94bf51197a238a083dcf12973
SHA1 hash:
0796a837e9ff6fd13e9062805db6e71c1ab74b2d
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
SH256 hash:
10fcf8da6000e34f9e8b8b173b6f8a65b6128e2422db510a52902648f51f9461
MD5 hash:
47fb4ab2b3105fd6e0a14d07429ee557
SHA1 hash:
9e95ab36804c0a0093754c3bd1a11097c5835896
Link:
https://www.unpac.me/results/329b894b-a8fc-4545-831a-bc1716e4560a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10fcf8da6000e34f9e8b8b173b6f8a65b6128e2422db510a52902648f51f9461

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168167/

Comments