MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993
SHA3-384 hash:	0e781c46e27f4bc6aa397b1a8d29968ba6b7cd00e321f0ecb9094a726664b4a4af0579c9af34fa642370d5b81a07167b
SHA1 hash:	b8478aeb0e3241542adc3df2f819546e2de3dd36
MD5 hash:	0dfb4556324aec190bb1110b81d47fce
humanhash:	video-echo-london-idaho
File name:	0dfb4556324aec190bb1110b81d47fce.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	8'431'472 bytes
First seen:	2023-07-18 12:42:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1dbbbcd79b879b270040089431be4013 (1 x NetSupport)
ssdeep	12288:2bi4AKzNIvHYBoapFVtzPHXYwgM6BEL8s1RATh73PzXTwnT1cQ47gDckpPWUNQVt:xV6ebapZzfUMq11L8+WdH/GPP7VknN8
TLSH	T157863821F283C4E6CC7226F86B557364403C2933CED8783B7794896A3DE5EAB3525972
TrID	28.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 26.2% (.SCR) Windows screen saver (13097/50/3) 20.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 9.0% (.EXE) Win32 Executable (generic) (4505/5/1) 4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	abuse_ch
Tags:	exe NetSupport RAT savastijir1.com savastijir2.com

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

0dfb4556324aec190bb1110b81d47fce.exe

Verdict:

Malicious activity

Analysis date:

2023-07-18 12:44:11 UTC

Tags:

netsupport remote unwanted

Link:

https://app.any.run/tasks/3d284407-0233-4986-afe5-4a68f2879b93

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/423458/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Connecting to a non-recommended domain

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Launching a process

Creating a process with a hidden window

Creating a process from a recently created file

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware keylogger lolbin overlay packed

Link:

https://www.filescan.io/uploads/64b688da2ad0f7418d6a11fa/reports/17c6f6d5-13ec-4973-b18b-c8fcd5f5a349/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993

Result

Verdict:

MALICIOUS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16677073-900a-4f29-8715-540e9d9924d9

Gathering data

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2023-07-18 12:43:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 25 (52.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmpr2yp4mto5xkiyyaftpw2w7eiegzetvhxlikz2oamnmysnlgjq._file

Verdict:

malicious

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/230718-pxxfnaba5w/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

NetSupport

Unpacked files

SH256 hash:

dedbd7bf8be05ca7dadec668f6fc825762e8a8356ed589485fd556b0524bc0d9

MD5 hash:

edd2fa012187b59b9a01094d8ff87ed8

SHA1 hash:

1618c492e939d0dd6383df55fcd83e17203544c9

Link:

https://www.unpac.me/results/77bc18a9-5cdb-44ea-afc4-e572161f81d1/

SH256 hash:

131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993

MD5 hash:

0dfb4556324aec190bb1110b81d47fce

SHA1 hash:

b8478aeb0e3241542adc3df2f819546e2de3dd36

Link:

https://www.unpac.me/results/77bc18a9-5cdb-44ea-afc4-e572161f81d1/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/131f1d61fc64/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/423458/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample