MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
SHA3-384 hash: 8a2bd8d05ce0cc397d06950dc4aed90275df1cfcf2d10e5860791aad0081ef2ea2975aaf45facdad7ece046b88bfa20c
SHA1 hash: fa86b41a76c8e648c49932c1ecc1e1153ec84303
MD5 hash: d5b34f5725505bff297714ca9b401b41
humanhash: lithium-eight-florida-stairway
File name:file
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'240'226 bytes
First seen:2022-09-06 00:47:49 UTC
Last seen:2022-09-06 23:03:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep 24576:UFszWS5iKrSzp+HYWc3LzMHHf9w4A1uSjxRI0720pbmD/XvfPlWdEllDU4bqkpDD:U3F+tf/UcSjE07Pp+nPUqJUGLj
Threatray 351 similar samples on MalwareBazaar
TLSH T160A5CE762E61C438CAD506F0C5342BF488AA9C7DE411A12BA27E3F66F3742875E70776
TrID 76.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 071b27464b0f5a5a (1 x NetSupport)
Reporter andretavare5
Tags:exe NetSupport


Avatar
andretavare5
Sample downloaded from https://vk.com/doc572676066_644201078?hash=WGhsFcumazUGfZu0rvxLyy3uBRA2nLfEp6Js3Ts9DLo&dl=GU3TENRXGYYDMNQ:1662378837:EQrgO4CugC32sr2p2C6PZiftSc9AhZF8OM3wzujuFkP&api=1&no_preview=1#210us300

Intelligence

File Origin
# of uploads :
5
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-06 00:52:51 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/2dfc3c12-6791-47bf-aaca-4e81cf5f5907

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308007/
Detection(s):
SecuriteInfo.com.FakeAV.ADRB.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
DNS request
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Query of malicious DNS domain
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36731/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6316993d2021c816b88f22ae/reports/4777bb58-742f-4951-be99-795cc22dea6d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parrot TDS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ff7907a-a7ef-4e22-ab7f-9df0d5d5dcbb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1065325
Signature
Antivirus detection for URL or domain
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 00:48:18 UTC
File Type:
PE (Exe)
Extracted files:
461
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fd5wruh4ryyfev5psyj47hh65ns5ci3zu5tskqpxwow5bjmfmkua._file
Verdict:
malicious
Similar samples:
1104e75f6b1835efc9dd8454058d43b89fca854fb649fbb2716af104a00311b9
NetSupport
39f85df74587155e28ea24e89d30dff0686c1f849df32b0a08a8c9838b623731
NetSupport
46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd
NetSupport
48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a
NetSupport
996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f
NetSupport
9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3
NetSupport
b7e88d00739d77f482b500b254c222ae19171e68a5cd574eaee7b43f0cf79f1d
NetSupport
+ 341 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/220906-a5r4kshehm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
c184df06f8bcac94611d650f605bae24dc084931b54bcb0695924e368ada77c1
MD5 hash:
e21ab166b5bb3a910c4137694a0e82a0
SHA1 hash:
69bff32f6891f63ca2017e48132ca55939af9608
Link:
https://www.unpac.me/results/2f6f8b7e-45ef-4fe1-bcec-18bd18a87cb4/
SH256 hash:
ea6da4d7eea865770043a0b13e0f7e44dbe589692014fc50e9f8c198d8cd9b49
MD5 hash:
1f35590e33911ebe89398568e93082b6
SHA1 hash:
c05175258df7aa5b6602d63bfce2a1aa6209d181
Link:
https://www.unpac.me/results/2f6f8b7e-45ef-4fe1-bcec-18bd18a87cb4/
SH256 hash:
0dd3241637bd5c8089378b1dc81985e0bf36f6e2802a75972cde9ad6c99d3091
MD5 hash:
47ab5924f77a63413a499ddb590791f3
SHA1 hash:
bdd987d9d4c0de4ca7c45874f27c2638f486d4c4
Link:
https://www.unpac.me/results/2f6f8b7e-45ef-4fe1-bcec-18bd18a87cb4/
SH256 hash:
c56580343b6938b679dc1bb78b5f14d0dd0d9ca6831da3af0d60c185d5cbf512
MD5 hash:
e0cc9ec4a4f75559e108289d63b2c3b1
SHA1 hash:
b28df98a2d9a09f0bf8627988d659a754506ab3f
Link:
https://www.unpac.me/results/2f6f8b7e-45ef-4fe1-bcec-18bd18a87cb4/
SH256 hash:
c14f52f2f2ff6849f62aec0d673a30b642ace947b87bac737b1042c2ca85e2a7
MD5 hash:
cd90644efd4ec4bf9d63bf7e5b374fb8
SHA1 hash:
56e23964cf6589eee766b003d04a8df8a0b085b9
Link:
https://www.unpac.me/results/2f6f8b7e-45ef-4fe1-bcec-18bd18a87cb4/
SH256 hash:
1b65626eb65201568bf43a0233b7e3219805e8e1f847d808217f8dd74f9b0467
MD5 hash:
89ec226a79e1716249f682e61e239959
SHA1 hash:
0fc749cb9edb0ad3e9bc2c2533217685007a5b90
Link:
https://www.unpac.me/results/2f6f8b7e-45ef-4fe1-bcec-18bd18a87cb4/
SH256 hash:
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
MD5 hash:
d5b34f5725505bff297714ca9b401b41
SHA1 hash:
fa86b41a76c8e648c49932c1ecc1e1153ec84303
Link:
https://www.unpac.me/results/2f6f8b7e-45ef-4fe1-bcec-18bd18a87cb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/308007/

Comments