MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949
SHA3-384 hash: e1f301f35e44ee11083b2ddcce6221c941646db5d0c0fb1ca5f9b0497150d6f6ddd5606fde5255ca477832f86db3820e
SHA1 hash: e915fd1a5f8483991069cc41abf872489faa7a19
MD5 hash: 359dc605a71b25b69d2e7673202c79c2
humanhash: victor-india-mockingbird-colorado
File name:359dc605a71b25b69d2e7673202c79c2.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'242'826 bytes
First seen:2023-03-26 08:40:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep 49152:tt6iaPw71zyI2im0OoGZ3/uHOo8PWVjnJEZGVuuRkKsN/CrgjNQ:tt6iaPw71zP2ib7TaW7EZGUQvsAONQ
Threatray 206 similar samples on MalwareBazaar
TLSH T1EAA533923994F171EEF94030EE2751FE8E70FD36DAA8A4437B647E4939705A3801B693
TrID 76.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f0f0e0e0e0e0e0f0 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
188.40.130.169:2140

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
359dc605a71b25b69d2e7673202c79c2.exe
Verdict:
Malicious activity
Analysis date:
2023-03-26 08:44:02 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/ef9e975f-13db-4917-93b7-a0ae30a467b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377517/
Detection(s):
SecuriteInfo.com.FakeAV.ADRB.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74948/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm cmd.exe control.exe cscript.exe evasive explorer.exe fingerprint greyware hacktool keylogger netsupport netsupportmanager overlay packed packed remoteadmin shdocvw.dll shell32.dll wscript.exe
Link:
https://www.filescan.io/uploads/6420051f80ca4ca1ff595910/reports/11734769-b103-4ebe-bc9a-c0fbe64286a9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bc2bd04f-c676-4102-aac0-ce65589c2d05
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1202074
Signature
Found potential ransomware demand text
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 13:12:10 UTC
File Type:
PE (Exe)
Extracted files:
469
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=clg2fnggt2b76zvh4wbvs7tbqlgjkii4gbmctnmggamqnzrvdfeq._file
Verdict:
malicious
Similar samples:
39f85df74587155e28ea24e89d30dff0686c1f849df32b0a08a8c9838b623731
NetSupport
48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a
NetSupport
5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a
NetSupport
996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f
NetSupport
ccc6693d703b68b3bd0e697cbff8f1f59cb4b5aed29da770d8000f3dc61917c1
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
+ 196 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230326-klez1shh5z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
9d18df025753b815c98d2686a33853f65647ad8a520e448d940dddb3801ecfb8
MD5 hash:
bcf7ccea10249f1dff0e1d4105c602fd
SHA1 hash:
8d7e204d55427367b9507b3f8932f2fed0caeb0b
Link:
https://www.unpac.me/results/81f411b9-91c3-4eb0-9ad3-b829575514cf/
SH256 hash:
25cf89151f30abb8327f6a40c6f20aea3d13cd53bb05269d75a5a314367d1788
MD5 hash:
07e1b2f2285bafab5957e81a73e11b54
SHA1 hash:
efce042ce4f28da6130f18ab0c7e55284822da42
Link:
https://www.unpac.me/results/81f411b9-91c3-4eb0-9ad3-b829575514cf/
SH256 hash:
9dd994694200780c9c395c8fb08c6b6055c2107df52b23654c95e24c42fd57fa
MD5 hash:
723cab3bc70833a3e2a6d60573c0d34d
SHA1 hash:
bca468b3988930351b288bf41135b945c7da8597
Link:
https://www.unpac.me/results/81f411b9-91c3-4eb0-9ad3-b829575514cf/
SH256 hash:
86ade10b31a3196bd31b2e9e207e517e1696ad123adc1df459da0298c66b7d76
MD5 hash:
dc7ee924d661c2101d2cf3a65545037a
SHA1 hash:
9e4c7d1ef6ec327ebcfdffa71517923cc22fd277
Link:
https://www.unpac.me/results/81f411b9-91c3-4eb0-9ad3-b829575514cf/
SH256 hash:
08844a57e7b63939e4e9474b11426c879efc9efe19ee5e43dfc75828e266e9d3
MD5 hash:
0a904ecf66030e59536984df2ad6cc4d
SHA1 hash:
8cc8a9017499581870fcddc8b7fec6d4215d0893
Link:
https://www.unpac.me/results/81f411b9-91c3-4eb0-9ad3-b829575514cf/
SH256 hash:
88674f92499024693fc47a29be1516d967ec8fcb48f45491fa59d67e08ccd864
MD5 hash:
9e784958f1379902e84907d2554d2eb8
SHA1 hash:
7ee275fedb6ae9a7b82b1f64a042b3920bc3dfe5
Link:
https://www.unpac.me/results/81f411b9-91c3-4eb0-9ad3-b829575514cf/
SH256 hash:
12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949
MD5 hash:
359dc605a71b25b69d2e7673202c79c2
SHA1 hash:
e915fd1a5f8483991069cc41abf872489faa7a19
Link:
https://www.unpac.me/results/81f411b9-91c3-4eb0-9ad3-b829575514cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377517/

Comments