MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
SHA3-384 hash: b73475a0dff98e80621b4310f720697c49399d3f7e537292c654470e5653c612312f32e6483f825374b310fbed5f5c4c
SHA1 hash: 1c84d2e573e7096040fbe6e950fbff764aa11096
MD5 hash: 166d71e145b2c802acd2b0a07e070bad
humanhash: quiet-bluebird-comet-arizona
File name:file
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'138'286 bytes
First seen:2024-11-16 11:39:47 UTC
Last seen:2024-11-16 11:40:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 49152:VIf3w6NbHHBp7k5hhJ+j0h7x0vRNT1UTzPN0EkHbG+n9:VIfwYt5ShrfKvo1U
TLSH T161A52302B9D3C5B2D53308350B196F55747DBE303F18CDAAE7C95E1EDA31292A628B63
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10522/11/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter Bitsight
Tags:45-61-128-74 exe NetSupport


Avatar
Bitsight
url: http://31.41.244.11/files/123.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.61.128.74:443 https://threatfox.abuse.ch/ioc/1345585/

Intelligence

File Origin
# of uploads :
2
# of downloads :
479
Origin country :
US US
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-16 11:41:04 UTC
Tags:
unwanted netsupport remote
Link:
https://app.any.run/tasks/443833a1-5fca-4803-8ad5-d0ad24470af2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.DarkKomet-10027799-0
Create hunting rule

SecuriteInfo.com.LuheRARDropper.19200.30796.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Running batch commands
Launching a process
Creating a process from a recently created file
Connection attempt
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm exploit fingerprint installer keylogger microsoft_visual_cc netsupport overlay packed packed packed packer_detected remoteadmin sfx
Link:
https://www.filescan.io/uploads/67388497916e868ba15c9a48/reports/31eccceb-266a-4a13-b98a-5ad526b11ae3/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bda9e211-3287-4c90-858e-734a1eb3658e
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1556890
Signature
AI detected suspicious sample
Contains functionalty to change the wallpaper
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556890 Sample: file.exe Startdate: 16/11/2024 Architecture: WINDOWS Score: 88 37 geo.netsupportsoftware.com 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 8 file.exe 19 2->8         started        11 bild.exe 2->11         started        13 bild.exe 2->13         started        signatures3 process4 file5 25 C:\Users\Public\Public\...\remcmdstub.exe, PE32 8->25 dropped 27 C:\Users\Public\Public\Videos\...\pcicapi.dll, PE32 8->27 dropped 29 C:\Users\Public\Public\Videos\...\bild.exe, PE32 8->29 dropped 31 6 other files (3 malicious) 8->31 dropped 15 cmd.exe 1 8->15         started        process6 process7 17 bild.exe 17 15->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        dnsIp8 33 45.61.128.74, 443, 49730 M247GB United States 17->33 35 geo.netsupportsoftware.com 104.26.0.231, 49731, 80 CLOUDFLARENETUS United States 17->35 39 Multi AV Scanner detection for dropped file 17->39 41 Contains functionalty to change the wallpaper 17->41 43 Delayed program exit found 17->43 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-16 11:40:05 UTC
File Type:
PE (Exe)
Extracted files:
470
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gozc7tti2xl32chinocqnril37gtrqtnwwmdqzhi2m556yxvgjza._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
error
NetSupport
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence rat
Link:
https://tria.ge/reports/241116-nsvwlazkdj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
Win.Trojan.DarkKomet-10027799-0
YARA:
n/a
Link:
https://app.threat.zone/submission/4bfcadbc-cc29-4779-9776-d4b68d0e26a8
Unpacked files
SH256 hash:
1167d1a1d6187023a5dcec3510816db8e47542e28db2ebeaabd0a5fa2b5706ff
MD5 hash:
8ac193674e00cd80fc553eebc971a972
SHA1 hash:
b922cca5069b82aef7a19599928d4ee53db563da
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
MD5 hash:
eab603d12705752e3d268d86dff74ed4
SHA1 hash:
01873977c871d3346d795cf7e3888685de9f0b16
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
26dbb528c270c812423c3359fc54d13c52d459cc0e8bc9b0d192725eda34e534
MD5 hash:
325b65f171513086438952a152a747c4
SHA1 hash:
a1d1c397902ff15c4929a03d582b09b35aa70fc0
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
00f57b9910630a7049df821a39c733ca35763d9b11a58e8c0e52b06066a52643
MD5 hash:
46eacdca48274cc56965e2f11cc63d66
SHA1 hash:
305429533557823d54f1cb1766d080b7249b6d99
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
0d44849c1449bf937c8a43a53fd3d1e71ba6fff60be9ac360e0406a24a921d3c
MD5 hash:
3813528535c6eab03fc18acf42f7ce10
SHA1 hash:
ba63bd49f1d8ba93693b140907c05af5e5d86781
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
aa9c59fd545d9a8755b1422330dea8241843a017b6d50369ac455a42f35271ad
MD5 hash:
cc8549be185e4edaed7c9c8c9620e198
SHA1 hash:
02f47e9d1894f5405950746d69449e3ddd45aa39
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
141dd89ba78fdcf56c9ebfc9062416063f14180590288f2fd1c9fe656451fb60
MD5 hash:
beb5e88e8222a516350ca7c817c8fe12
SHA1 hash:
ba77cd746065242a348147e557bb59ee068d6905
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
SH256 hash:
33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
MD5 hash:
166d71e145b2c802acd2b0a07e070bad
SHA1 hash:
1c84d2e573e7096040fbe6e950fbff764aa11096
Link:
https://www.unpac.me/results/8de40a2d-f9e7-4052-bfdf-174d295386b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe 33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3292711/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments