MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ae575f006fc418c72a55ec5fdc26bc821aa3929114ee979b7065bf5072c488f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	2ae575f006fc418c72a55ec5fdc26bc821aa3929114ee979b7065bf5072c488f
SHA3-384 hash:	292808066d54847b953b8c0efd44391794dc04b2286f4db72094fe6196f24162910e7c3816f0d96d1f5d8d2110950fea
SHA1 hash:	59edb26727474f548f2f441b41aba00b6fd12215
MD5 hash:	5ecbc6ecb7345b62be9c47edc3aa3d84
humanhash:	louisiana-spaghetti-glucose-whiskey
File name:	2AE575F006FC418C72A55EC5FDC26BC821AA3929114EE.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'567'624 bytes
First seen:	2022-01-02 19:26:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep	49152:ys7oideXZ4Sn8VWSq6LknmDt7BwrRzfGap2XVfsGO:v3deyST6Lknm5aGaUfsF
Threatray	1'363 similar samples on MalwareBazaar
TLSH	T151C52323F9C5C971C522593059B1C3F06B3DBE212F209ECAD7E45E6F3AB15903A2D692
File icon (PE):
dhash icon	70cccd2baac9cc70 (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport signed

Code Signing Certificate

Organisation:	Kompaniya Auttek
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-03-20T00:00:00Z
Valid to:	2021-03-20T23:59:59Z
Serial number:	15c5af15afecf1c900cbab0ca9165629
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	19c60573c2890fad5fc96d3a9171959aef1c2dcc367ebd2dd27fc33d22976ad8
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

NetSupport C2:
192.169.69.25:2323

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
192.169.69.25:2323	https://threatfox.abuse.ch/ioc/290572/

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2AE575F006FC418C72A55EC5FDC26BC821AA3929114EE.exe

Verdict:

Malicious activity

Analysis date:

2022-01-02 19:28:02 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/aade881f-656f-4340-a66f-333fafb5845e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetSupport

Link:

https://www.capesandbox.com/analysis/217099/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.17168.28161.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.11410.22550.UNOFFICIAL

PUA.Win.Packer.Pseudosigner-36

SecuriteInfo.com.Program.RemoteAdmin.837.26913.7397.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.23370.1523.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3834.24092.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.8440.9194.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.17585.19372.UNOFFICIAL

SecuriteInfo.com.Generic.mg.7118444d587a1d65.31770.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Launching a process

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Query of malicious DNS domain

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3697/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bladabindi netsupportmanager remoteadmin wacatac

Link:

https://www.filescan.io/uploads/61d1fc887837ada941a84d63/reports/b2d97a17-faf5-4972-901d-5410ba2004bf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bbf25c27-0c6b-4af9-b50e-57d1e683d96f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

51 / 100

Link:

https://www.joesandbox.com/analysis/914670

Signature

Antivirus / Scanner detection for submitted sample

Detected potential unwanted application

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ae575f006fc418c72a55ec5fdc26bc821aa3929114ee979b7065bf5072c488f/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2020-05-23 22:36:58 UTC

File Type:

PE (Exe)

Extracted files:

462

AV detection:

20 of 43 (46.51%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=flsxl4ag7rayy4vfl3c73qtlzaq2uojjcfhos6nxazn7kbzmjchq._file

Verdict:

malicious

NetSupport

3fdf21f7ad2430c552a8dc34c6fbaf82d95a0f44b9a7bd514d89ad3d074d345f

NetSupport

68ad365201a3ead170378c56327e94be9eb337fda3487dac317981e843cf7eec

NetSupport

9d1bc81d3ef2b925df9091ad231cb10d3a9a1cfce0dc75f6c419b3d605e452c1

NetSupport

a080aa812c19b8bbe2b32ac62f362909cebc68658ec751be2ee234ffd1200f47

NetSupport

a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5

NetSupport

e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d

NetSupport

fcbdafcedb7e9d18b0c8b640e375975320e6f74fd4170fea17b2ca210215d855

NetSupport

+ 1'353 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/220102-x53xeaafh5/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Unpacked files

SH256 hash:

1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202

MD5 hash:

f525bd5dcec08be37a94d743d345be14

SHA1 hash:

ed1485111b370e0f75c004c5b253d3bf7ce18cf7

Link:

https://www.unpac.me/results/1f791b60-b85b-48c8-bed9-79b34b435940/

SH256 hash:

96a52f9bbbf41eeb1926fd03948f4684ed68f7d03cc7c8049c8f56d17e0c4f41

MD5 hash:

3ca510a228b3013cd10b7466e63b60c9

SHA1 hash:

baec963feadda9bc7e89ef02bfe18a7359568f77

Link:

https://www.unpac.me/results/1f791b60-b85b-48c8-bed9-79b34b435940/

SH256 hash:

d958f3fb64a5f933935c3cf8189d0315f6ed4c224ca49e25389dbe2f2cd30c4e

MD5 hash:

2db3e7dfbf342294a4895b9389dac530

SHA1 hash:

a8891328258e10ff3c227424f9c33edf45cdbc71

Link:

https://www.unpac.me/results/1f791b60-b85b-48c8-bed9-79b34b435940/

SH256 hash:

7229bb08126586a0f8a356ace412c163e06606098d4cf0abbdb36b06a10392cd

MD5 hash:

92b0955fc52b15f12b078b58ee78599d

SHA1 hash:

6be599ddebea8d9b71013c4c60ac986f852c35d4

Link:

https://www.unpac.me/results/1f791b60-b85b-48c8-bed9-79b34b435940/

SH256 hash:

9f142ee16faf74b85320ffeb046ca85f2092206dbd5c9be7ec90f5e0d73e0c42

MD5 hash:

524aa3d2b24fc697185ffe7c6147c4f4

SHA1 hash:

1b64d5f0d3f9f7e5317093874b3bc769e11c05da

Link:

https://www.unpac.me/results/1f791b60-b85b-48c8-bed9-79b34b435940/

SH256 hash:

01956b7c1fdef594bd0c88b31ba29f6d6602102f0eb88ed47496635528a3a5e9

MD5 hash:

cb65b10a910af360104272ae1d17bdad

SHA1 hash:

0a46e13839942d89255b75ddcf2ffbd187831dbb

Link:

https://www.unpac.me/results/1f791b60-b85b-48c8-bed9-79b34b435940/

SH256 hash:

2ae575f006fc418c72a55ec5fdc26bc821aa3929114ee979b7065bf5072c488f

MD5 hash:

5ecbc6ecb7345b62be9c47edc3aa3d84

SHA1 hash:

59edb26727474f548f2f441b41aba00b6fd12215

Link:

https://www.unpac.me/results/1f791b60-b85b-48c8-bed9-79b34b435940/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ae575f006fc418c72a55ec5fdc26bc821aa3929114ee979b7065bf5072c488f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cert_blocklist_15c5af15afecf1c900cbab0ca9165629 Create hunting rule
Author:	ReversingLabs
Description:	Certificate used for digitally signing malware.

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217099/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample