MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d
SHA3-384 hash: 90b09302d3a8781177e22342588e6a2eb55e41b352024cceafd661b644ddcc7af9924243e123e8599afb51e0adbf86e3
SHA1 hash: d9eefb58b5e3e08055d1f42a3bae138c2c39a23f
MD5 hash: 47d55a8e504509f4bdb034c3f0068e61
humanhash: network-five-blue-kitten
File name:47d55a8e504509f4bdb034c3f0068e61.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'001'832 bytes
First seen:2022-06-25 16:28:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep 24576:RFszWS5iPxzpRHYWc3LzMH7f9w4A1uSjxRI0720pbmD/XvfPlWdEllDU4bqkVDzv:RVRtfrUcSjE07Pp+nPUqJUeLD
Threatray 286 similar samples on MalwareBazaar
TLSH T14195332236D11835D5260E322B7EAE41D2B5BF7578B7F21FE74A462C3630982FA59703
TrID 76.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 4b34b33c311c0c03 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport signed

Code Signing Certificate

Organisation:DAMOKLES SECURITY INNOVATIONS LTD.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-03T21:45:06Z
Valid to:2023-03-04T21:45:06Z
Serial number: 546650e1123b8a5cf89e9427
Thumbprint Algorithm:SHA256
Thumbprint: 1d2bc04c8dfe9ef97a948a2c3e578e921788f7a75459261061d594acfebaa065
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
NetSupport C2:
168.100.9.23:3961

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
168.100.9.23:3961 https://threatfox.abuse.ch/ioc/728263/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283262/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed remoteadmin
Link:
https://www.filescan.io/uploads/62b7380b62d792dc5744f5c6/reports/3e8a0dc6-64ca-42d1-8ad3-b0e00f7e0ee6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parrot TDS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/690e94de-3c52-4c77-b26c-76fba1d1b123
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1019793
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d/
Threat name:
Win32.Trojan.NetSup
Create hunting rule
Status:
Malicious
First seen:
2022-06-24 15:11:17 UTC
File Type:
PE (Exe)
Extracted files:
460
AV detection:
10 of 40 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvd2up25gziuz4te25pxk52ddd2kad4clddt6yldd6mvme7xfegq._file
Verdict:
malicious
Similar samples:
1104e75f6b1835efc9dd8454058d43b89fca854fb649fbb2716af104a00311b9
NetSupport
39f85df74587155e28ea24e89d30dff0686c1f849df32b0a08a8c9838b623731
NetSupport
46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd
NetSupport
48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a
NetSupport
996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f
NetSupport
9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3
NetSupport
b7e88d00739d77f482b500b254c222ae19171e68a5cd574eaee7b43f0cf79f1d
NetSupport
+ 276 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/220625-ty8brscger/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
c184df06f8bcac94611d650f605bae24dc084931b54bcb0695924e368ada77c1
MD5 hash:
e21ab166b5bb3a910c4137694a0e82a0
SHA1 hash:
69bff32f6891f63ca2017e48132ca55939af9608
Link:
https://www.unpac.me/results/58a18fb7-f07a-4af5-ab54-08300b0062f7/
SH256 hash:
caca7233fc12358586296fadb5caa7760548d4c831198602efb01f1db8dcfca1
MD5 hash:
27d6ddc7d93d4dac3e2ffa920d9d6b89
SHA1 hash:
72b6ed1c86d5fd16f46be21769522b28e2c1a777
Link:
https://www.unpac.me/results/58a18fb7-f07a-4af5-ab54-08300b0062f7/
SH256 hash:
c14f52f2f2ff6849f62aec0d673a30b642ace947b87bac737b1042c2ca85e2a7
MD5 hash:
cd90644efd4ec4bf9d63bf7e5b374fb8
SHA1 hash:
56e23964cf6589eee766b003d04a8df8a0b085b9
Link:
https://www.unpac.me/results/58a18fb7-f07a-4af5-ab54-08300b0062f7/
SH256 hash:
b4c01616ae0e10dcc1775c54b45cf551869cedd8b75c44c6e5ce2d15f5b12170
MD5 hash:
099f59282c133200ff324f5cc6a423cc
SHA1 hash:
54111d6cbba8f446cbf5b213d8389f4888c41adf
Link:
https://www.unpac.me/results/58a18fb7-f07a-4af5-ab54-08300b0062f7/
SH256 hash:
fbc8d431b2b5a30fa1287872be3dbb16506769ef61018e5a02827cd6fd8285dd
MD5 hash:
66b295ae19c9d62d91f56a3592e9e8fd
SHA1 hash:
52b69b5eda776aeebbe0d4ed2d796a8164b6b30c
Link:
https://www.unpac.me/results/58a18fb7-f07a-4af5-ab54-08300b0062f7/
SH256 hash:
82319c561bc0e2dd7792fbc7a85db906714cf09c918904e601e0e8ae19159b1c
MD5 hash:
b17bda6623ef122824cc8ece7fabc470
SHA1 hash:
30af209838af6aef69dfa9f25b2aab26cb947ef8
Link:
https://www.unpac.me/results/58a18fb7-f07a-4af5-ab54-08300b0062f7/
SH256 hash:
3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d
MD5 hash:
47d55a8e504509f4bdb034c3f0068e61
SHA1 hash:
d9eefb58b5e3e08055d1f42a3bae138c2c39a23f
Link:
https://www.unpac.me/results/58a18fb7-f07a-4af5-ab54-08300b0062f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/283262/

Comments