MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b
SHA3-384 hash: d5f60a124f6f1813f618d5e58e5641053f93b2daf946b3d31216be302f85c0a5490fbf7b536a7f68bc70c68fd0e164c0
SHA1 hash: f04c101a750b1d9b7c3fdf266f5d0819524d26d2
MD5 hash: e95cd3612377e76eaac412273353553e
humanhash: delaware-vegan-pizza-robert
File name:local-EN.hta
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'250'991 bytes
First seen:2023-07-26 12:42:07 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3072:SpAh5Ac+r/ogwE3uTxFmMNZVR4a07XMWe5PPU:Spk5+xwEeTv5V3EQVs
TLSH T17F45DB38397A7C2443DBDA1334F14B961CE9564FD1703A3B199AD8239A346C265B22FF
Reporter rmceoin
Tags:94-158-244-41 FakeSG hta NetSupport


Avatar
rmceoin
Infection chain
compromised site
-->
google-analytiks.com/sBY76j
-->
tre100.in/wp-content/uploads/2021/10/Install Updater (V105.215.8411-downloader-silent).url
-->
http://185.252.179.64:80/Downloads/local-downloadersilent-install(v105).lnk
-->
tre100.in/wp-content/uploads/2021/09/local-EN.hta
-->
NetSupport GatewayAddress 94.158.244.41:443

228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b local-EN.hta

tre100.in/wp-content/uploads/2021/07/LocationTrack.zip
tre100.in/wp-content/uploads/2021/07/client32.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-94.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b/results/dashboard
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Malicious
Labled as:
VBS:Electryon.308
Link:
https://www.hybrid-analysis.com/sample/228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b
Result
Verdict:
MALICIOUS
Result
Threat name:
Cobalt Strike, NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
evad.troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280146
Signature
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell drops NetSupport RAT client
Suspicious command line found
Suspicious powershell command line found
Very long command line found
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1280146 Sample: local-EN.hta Startdate: 26/07/2023 Architecture: WINDOWS Score: 100 75 tre100.in 2->75 77 geography.netsupportsoftware.com 2->77 79 geo.netsupportsoftware.com 2->79 89 Multi AV Scanner detection for domain / URL 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 10 other signatures 2->95 12 mshta.exe 19 2->12         started        15 powershell.exe 2->15         started        17 client32.exe 2->17         started        20 taskkill.exe 2->20         started        signatures3 process4 dnsIp5 113 Detected Cobalt Strike Beacon 12->113 115 Suspicious powershell command line found 12->115 117 Very long command line found 12->117 22 powershell.exe 12 12->22         started        25 conhost.exe 15->25         started        27 reg.exe 15->27         started        29 client32.exe 15->29         started        71 94.158.244.41, 443, 50352 MIVOCLOUDMD Moldova Republic of 17->71 73 geography.netsupportsoftware.com 62.172.138.67, 50353, 80 BTGB United Kingdom 17->73 31 conhost.exe 20->31         started        signatures6 process7 signatures8 97 Detected Cobalt Strike Beacon 22->97 99 Suspicious powershell command line found 22->99 101 Very long command line found 22->101 103 4 other signatures 22->103 33 cmd.exe 1 22->33         started        36 conhost.exe 22->36         started        process9 signatures10 83 Detected Cobalt Strike Beacon 33->83 85 Suspicious powershell command line found 33->85 87 Very long command line found 33->87 38 powershell.exe 15 49 33->38         started        43 powershell.exe 15 33->43         started        45 conhost.exe 33->45         started        process11 dnsIp12 81 tre100.in 65.1.229.25, 443, 50343, 50344 AMAZON-02US United States 38->81 59 C:\Users\user\AppData\Roaming\client32.exe, PE32 38->59 dropped 61 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 38->61 dropped 63 C:\Users\user\AppData\...\client32.exe (copy), PE32 38->63 dropped 65 6 other files (5 malicious) 38->65 dropped 105 Detected Cobalt Strike Beacon 38->105 107 Suspicious powershell command line found 38->107 109 Very long command line found 38->109 111 Encrypted powershell cmdline option found 38->111 47 powershell.exe 24 38->47         started        file13 signatures14 process15 file16 67 C:\Users\user\AppData\...\o2154d3v.cmdline, Unicode 47->67 dropped 69 C:\Users\user\AppData\Local\Temp\CMSTP.inf, Windows 47->69 dropped 50 csc.exe 3 47->50         started        53 cmstp.exe 7 47->53         started        process17 file18 57 C:\Users\user\AppData\Local\...\o2154d3v.dll, PE32 50->57 dropped 55 cvtres.exe 1 50->55         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 12:43:05 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekflhzfwp7q6myozb43vlzrp6zvjez3wl4i6d5r3wccpaxdklavq._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230726-pxw5wsca2x/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
NetSupport
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/228ab3e4b67f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

HTML Application (hta) hta 228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b

(this sample)

  
Link
https://infosec.exchange/@rmceoin/110780432679282210
  
Delivery method
Distributed via web download

Comments