MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA3-384 hash: ed3b8ceefbbc1b99cdea24774ece9afa05a8ec967a3d62ceea44b6e5d0b261abbec3c00cf38de34ed32230671739ca82
SHA1 hash: 55b4a1620c5d0113811242c20bd9870a1e31d542
MD5 hash: c94005d2dcd2a54e40510344e0bb9435
humanhash: failed-fanta-william-finch
File name:htctl32.dll
Download: download sample
Signature NetSupport
Create hunting rule
File size:328'056 bytes
First seen:2022-11-15 12:07:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 6ba08298dd09ea8e41ab7285d3183bba (1 x NetSupport)
ssdeep 6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
Threatray 95 similar samples on MalwareBazaar
TLSH T117646C21BD80C031F2966075C5BDDBBA0D6DB470376860DBBBD909B96F686D3663830B
TrID 75.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.0% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter madjack_red
Tags:dll NetSupport signed

Code Signing Certificate

Organisation:NetSupport Ltd
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2016-01-12T00:00:00Z
Valid to:2017-09-21T23:59:59Z
Serial number: 2a7c96b4a761a9747606bd1056003d49
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7086610176dbbe170df29e0ee34bfb970322204d0060bef070c091415f105e32
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
GB GB
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334279/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm greyware greyware overlay packed remoteadmin
Link:
https://www.filescan.io/uploads/63738123f75d59fef0b974e0/reports/eeb8980a-4a70-4995-8db2-92d95815a78b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/96d12906-aa80-4633-b40b-1f1b9fa52206
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1113745
Signature
Contains functionality to detect sleep reduction / modifications
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 746440 Sample: htctl32.dll Startdate: 15/11/2022 Architecture: WINDOWS Score: 30 7 loaddll32.exe 1 2->7         started        process3 9 rundll32.exe 7->9         started        12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        16 7 other processes 7->16 signatures4 37 Contains functionality to detect sleep reduction / modifications 9->37 18 WerFault.exe 6 11 9->18         started        21 rundll32.exe 12->21         started        23 WerFault.exe 2 9 14->23         started        25 WerFault.exe 9 16->25         started        27 WerFault.exe 16->27         started        29 WerFault.exe 16->29         started        31 WerFault.exe 16->31         started        process5 dnsIp6 35 192.168.2.1 unknown unknown 18->35 33 WerFault.exe 17 9 21->33         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqdskmv7oz2nbrivjvgsfkozyaltkmga2ahwtei43pbfkilv3cmq._file
Verdict:
unknown
Similar samples:
1e058d7231f3988e107157842935db6b35b3079baf30cedee7bff0fc9544c9f9
NetSupport
23c5fd678c02a42319b75ce0c9eb6c7e8da260aff6bbc658d8bc53f268c08401
NetSupport
3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d
NetSupport
4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3
NetSupport
5109678b00c6140a7f3183450dd0020be13d38f4ed8adcc820c2c12aa1d66ac3
NetSupport
60c43df102c498b3c295c0c02327a94141f127d076c0a493dcc9cedc02a0b8fb
NetSupport
61076154b44e1f08103e894a49846e3bed31b229d9bb8f3ab255654293d393a2
NetSupport
ba9dbb2b898adf2758437959eddda224bcc46b48a31c0eed57f5517cfe68f68d
NetSupport
f2efc8376672bf6b9835f05bb88ab7e742c9d35144ef24c4d963f0e1ae1af783
NetSupport
+ 85 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221115-pav93she9y/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
MD5 hash:
c94005d2dcd2a54e40510344e0bb9435
SHA1 hash:
55b4a1620c5d0113811242c20bd9870a1e31d542
Link:
https://www.unpac.me/results/a22915e3-ac02-4855-877f-2d2680aac061/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.02
Link:
https://yomi.yoroi.company/submissions/3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/334279/

Comments