MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b23f6605bf3ee638b369bc344cbd02591b5a9ab320a874b07088652b8d93888. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b23f6605bf3ee638b369bc344cbd02591b5a9ab320a874b07088652b8d93888
SHA3-384 hash: 7155ce0167ffa31812b6dda4e7cc2216e4e128dda8a8e11578345081fe219a330152b35a6f73163acef354fcace99381
SHA1 hash: 9883c2037aba20b5a962a121030360e989261bde
MD5 hash: 2db4e85f42ab1b1b22a6829f273566a7
humanhash: minnesota-november-spring-artist
File name:2db4e85f42ab1b1b22a6829f273566a7.bin
Download: download sample
Signature NetSupport
Create hunting rule
File size:417'792 bytes
First seen:2023-03-21 06:58:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2053909a946a770e91562fee33517d62 (1 x NetSupport)
ssdeep 6144:AZqs7XDQk8PFrWKN5nwtm/NYGridElYaa/7d8BrNtDAqlPJedOJKn4eirAj:AZqs7XWiKNBwaNtCZNKJdJZsj
Threatray 149 similar samples on MalwareBazaar
TLSH T19F94D011BBE2C072E907097A092B476E9736FD4A1F2587C7EF941E1ECE702D29E36251
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0ecb2bae9f2ccf0 (1 x NetSupport)
Reporter abuse_ch
Tags:bin exe NetSupport

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
2db4e85f42ab1b1b22a6829f273566a7.bin
Verdict:
Malicious activity
Analysis date:
2023-03-21 06:59:36 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/d883b35d-5721-4993-8868-967630146910

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376112/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/641955b7109d4db51669ef7b/reports/ddc66433-ad6e-40b9-b1ea-546d10c2cfd5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1b23f6605bf3ee638b369bc344cbd02591b5a9ab320a874b07088652b8d93888
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04025843-aa80-4092-a52c-94eb0280081f
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198273
Signature
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files with a suspicious file extension
Found potential ransomware demand text
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831174 Sample: 0ud2VlMOvF.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 3 other signatures 2->90 11 0ud2VlMOvF.exe 1 32 2->11         started        16 client32.exe 2->16         started        18 client32.exe 2->18         started        process3 dnsIp4 76 mediainfotv.xyz 198.54.121.245, 443, 49695, 49696 NAMECHEAP-NETUS United States 11->76 56 C:\Users\user\AppData\...\remcmdstub.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 11->58 dropped 60 C:\Users\user\AppData\...\client32.exe, PE32 11->60 dropped 62 7 other files (none is malicious) 11->62 dropped 96 Detected unpacking (creates a PE file in dynamic memory) 11->96 98 Performs DNS queries to domains with low reputation 11->98 20 rrrr.exe 18 11->20         started        23 client32.exe 17 11->23         started        file5 signatures6 process7 dnsIp8 54 C:\Users\user\AppData\Local\...ngine.exe, PE32 20->54 dropped 27 Engine.exe 503 20->27         started        70 upl0ad3d.com 109.107.178.106, 2552, 49697 TELEPORT-TV-ASRU Russian Federation 23->70 72 geography.netsupportsoftware.com 51.142.119.24, 49698, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 23->72 74 geo.netsupportsoftware.com 23->74 94 Multi AV Scanner detection for dropped file 23->94 file9 signatures10 process11 process12 29 cmd.exe 1 27->29         started        signatures13 100 Obfuscated command line found 29->100 102 Uses ping.exe to sleep 29->102 104 Drops PE files with a suspicious file extension 29->104 106 Uses ping.exe to check the status of other devices and networks 29->106 32 cmd.exe 4 29->32         started        36 conhost.exe 29->36         started        process14 file15 52 C:\Users\user\AppData\Local\...\Close.exe.pif, PE32 32->52 dropped 78 Obfuscated command line found 32->78 80 Uses ping.exe to sleep 32->80 38 Close.exe.pif 32->38         started        42 PING.EXE 32->42         started        44 powershell.exe 11 32->44         started        46 2 other processes 32->46 signatures16 process17 dnsIp18 66 tOetxOrXardQngRI.tOetxOrXardQngRI 38->66 92 Injects a PE file into a foreign processes 38->92 48 Close.exe.pif 38->48         started        68 192.168.2.1 unknown unknown 42->68 signatures19 process20 dnsIp21 64 82.118.23.50, 80 GREENFLOID-ASUA Ukraine 48->64 82 Tries to harvest and steal browser information (history, passwords, etc) 48->82 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b23f6605bf3ee638b369bc344cbd02591b5a9ab320a874b07088652b8d93888/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-21 06:59:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmr7myc36pxghczwtpbujs6qewi3lknlgifiosyhbcdffogzhcea._file
Verdict:
malicious
Similar samples:
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
NetSupport
4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173
NetSupport
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
NetSupport
a6b33cbfee592d34c4773d04ff1d3a06bc99d192db31bd1074a81ce25bdd049e
NetSupport
c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5
NetSupport
+ 139 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport persistence rat upx
Link:
https://tria.ge/reports/230321-hr3l6ahb47/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
NetSupport
Unpacked files
SH256 hash:
226dbb3a8bfe9af04593642653b3d33bf5cf74b4e966fba3b503807699559882
MD5 hash:
3703dde8486c660ff740b1b585830505
SHA1 hash:
b4fbd2a146bfebe25e3fdaec563b59823efcbf85
Link:
https://www.unpac.me/results/78f2a8be-cd33-4bbd-a997-174580156846/
SH256 hash:
1b23f6605bf3ee638b369bc344cbd02591b5a9ab320a874b07088652b8d93888
MD5 hash:
2db4e85f42ab1b1b22a6829f273566a7
SHA1 hash:
9883c2037aba20b5a962a121030360e989261bde
Link:
https://www.unpac.me/results/78f2a8be-cd33-4bbd-a997-174580156846/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376112/

Comments