MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b4021a41f886f99fa165acb89dfd992ae09b20c301686d787adc91acb823078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b4021a41f886f99fa165acb89dfd992ae09b20c301686d787adc91acb823078
SHA3-384 hash: 0e04899da8d42bdfbc56e530ec6e1fcaab2ec9c0b69c1356b5692720e9d98703634d1356d2a7eaf948a25644c0d1c4db
SHA1 hash: 62bdf2731836d0ad654357969dea1d313070eafd
MD5 hash: 0abb64ed6ad600e6697d3b70397a90f8
humanhash: mobile-hydrogen-jupiter-wisconsin
File name:2b4021a41f886f99fa165acb89dfd992ae09b20c30168.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'402'904 bytes
First seen:2023-08-23 09:00:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eaa732d4dae53340f9646bdd85dac41 (11 x NetSupport, 6 x RedLineStealer, 4 x ISRStealer)
ssdeep 49152:VBTbQBxHR0kedjh1005ldUOeyOCXPtuWPJdgJeQ:rTb0VRsdh100/d9zPXPtjdaN
Threatray 610 similar samples on MalwareBazaar
TLSH T131B523E0B182C172E56351B0AADDD6A0F53BFD19AA355647FBC0372CBE72663CA05312
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 71d4b27232b6cc71 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
45.61.147.162:3301

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
2b4021a41f886f99fa165acb89dfd992ae09b20c30168.exe
Verdict:
Malicious activity
Analysis date:
2023-08-23 09:02:27 UTC
Tags:
netsupport remote unwanted
Link:
https://app.any.run/tasks/1d74f09c-1a5b-4b20-bff6-56fec3923fe5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444291/
Detection(s):
Win.Trojan.Starter-287
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108361/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm cmd control cscript evasive explorer fingerprint greyware keylogger lolbin lolbin netsupport overlay packed packed remote remoteadmin replace shdocvw shell32 virus wscript
Link:
https://www.filescan.io/uploads/64e5cad0c5baea601a297fcc/reports/f5a4ad8a-97a7-4846-ac4e-21ccb6b32816/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/2b4021a41f886f99fa165acb89dfd992ae09b20c301686d787adc91acb823078
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0616ccab-d9a5-4719-9bd3-491e9cbd865e
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1295743
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b4021a41f886f99fa165acb89dfd992ae09b20c301686d787adc91acb823078/
Threat name:
Win32.Trojan.Netsupportmanager
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 09:01:08 UTC
File Type:
PE (Exe)
Extracted files:
463
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnacdja7rbxzt6qwllfytx6zskxatmqmgalinv4hvxervs4cgb4a._file
Verdict:
malicious
Similar samples:
12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949
NetSupport
23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb
NetSupport
5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a
NetSupport
c5abef1668afbaf378e02a420224ec01850559605143c17f5831b85afe136d5b
NetSupport
ccc6693d703b68b3bd0e697cbff8f1f59cb4b5aed29da770d8000f3dc61917c1
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
ffeeafbe114f78fcb04e240eb2d5b74d32ea0e271cea9334c59e18d3ac3257d6
NetSupport
+ 600 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230823-kyv7rsba94/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
fc8556900dd9583a376edf32b159594d70f996fa37767326d2fb4aea8f7330c6
MD5 hash:
1d13182dcfc79c8af83f6dc45603e923
SHA1 hash:
d9e7e3fc93ef0ce7de8cc338591d380d01c2dcf1
Link:
https://www.unpac.me/results/d05003cc-66a8-4ff0-b1db-95953ca18066/
SH256 hash:
dccbc713c469e2b41bc440dee63d2a2b6d9bc87501a9e6a0ba8b23c5d94b3663
MD5 hash:
fea1cea6c7322d3eb4d37ff99a5d7186
SHA1 hash:
ce6b0cb14c713ccbb83dfa7a4cb4f9665f1793a6
Link:
https://www.unpac.me/results/d05003cc-66a8-4ff0-b1db-95953ca18066/
SH256 hash:
e59dd49ef4ff29f61dc275de09f20b9291f424739e36abb8b66ffab910b49636
MD5 hash:
3c5fc854ff586140e1b680fb5213919c
SHA1 hash:
50214d5424d35f67e4e53e2a543f0050880e75c8
Link:
https://www.unpac.me/results/d05003cc-66a8-4ff0-b1db-95953ca18066/
SH256 hash:
b51665d9e099cc2c72cfdea9eb9bceff3d19a99353924340f35ae2492f526656
MD5 hash:
fdb0e6981b7854ee4455dd33c3e87d84
SHA1 hash:
49d02932e5832dded71cf91a5441ed5f53ccd1f3
Link:
https://www.unpac.me/results/d05003cc-66a8-4ff0-b1db-95953ca18066/
SH256 hash:
e1b58a50e875ca6995bc746b3faded899de1ccb8d2abec75c4a1fc11a469268b
MD5 hash:
3634315e4033a4a9d7d8bb469af2abf8
SHA1 hash:
2bc76b0bdfd03f2aabd8f7e6792d9f221983cdf2
Link:
https://www.unpac.me/results/d05003cc-66a8-4ff0-b1db-95953ca18066/
SH256 hash:
94a966319e68cc61457dc006e2b8fed0192b92b943321f630005b93e93925c4b
MD5 hash:
5789328de018b910cccdb236ca7ab2f5
SHA1 hash:
0798f17172c3ab787a380175dcf5eb9380095ce1
Link:
https://www.unpac.me/results/d05003cc-66a8-4ff0-b1db-95953ca18066/
SH256 hash:
2b4021a41f886f99fa165acb89dfd992ae09b20c301686d787adc91acb823078
MD5 hash:
0abb64ed6ad600e6697d3b70397a90f8
SHA1 hash:
62bdf2731836d0ad654357969dea1d313070eafd
Link:
https://www.unpac.me/results/d05003cc-66a8-4ff0-b1db-95953ca18066/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b4021a41f886f99fa165acb89dfd992ae09b20c301686d787adc91acb823078

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444291/

Comments