MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 418744fa1ade539c280461387df87dda6bf84c7d755ebbbdc6123fd5659f9467. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	418744fa1ade539c280461387df87dda6bf84c7d755ebbbdc6123fd5659f9467
SHA3-384 hash:	4eab59ec3695cabe817392aefe5c4d6cfc3df9bfa9ab9c21862df166aedfa43dbd21d20008985bc8afb0865ceb90885d
SHA1 hash:	4ccc61ba1722484042734579dff6c1a97bd37366
MD5 hash:	877f5e83fb39de16fa8bbd93ba9f07f1
humanhash:	kitten-grey-mobile-earth
File name:	SecuriteInfo.com.Trojan.RA.587.6199.17468
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	106'352 bytes
First seen:	2023-06-14 02:31:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a9d50692e95b79723f3e76fcf70d023e (10 x NetSupport)
ssdeep	384:Jh0wV5+6j6Qa86Fkv2Wr120hZE4vtV/CptVDikH:f/VZl6FhWr80/E4vtV6ptVDiy
Threatray	141 similar samples on MalwareBazaar
TLSH	T1E4A3954F428DE173EA92E97DC8859B040D51BDC8B5B058FB11AEF23E3E3178D6B6405A
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	4d2d52417121a151 (11 x NetSupport)
Reporter	SecuriteInfoCom
Tags:	exe NetSupport signed

Code Signing Certificate

Organisation:	NetSupport Ltd
Issuer:	Symantec Class 3 SHA256 Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2017-09-15T00:00:00Z
Valid to:	2020-09-22T23:59:59Z
Serial number:	79906faf4fbd75baa10b322356a07f6d
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	fcd6a7e626908dc8e5d3ce6fc9350ec099c42fb1ad1231a75208b54754985089
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

4th.zip

Verdict:

Malicious activity

Analysis date:

2023-06-13 20:02:05 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/562ecd58-915d-4ea6-84ac-465d5baac73e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/398521/

Detection(s):

SecuriteInfo.com.Trojan.RA.587.6199.17468.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90550/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

netsupport overlay packed

Link:

https://www.filescan.io/uploads/648926a48bd3eb76c8c65fd0/reports/1252816a-3a81-4d66-a0df-d184c1bd6996/overview

Verdict:

Malicious

Labled as:

RiskWare[RemoteAdmin]/NetSup

Link:

https://www.hybrid-analysis.com/sample/418744fa1ade539c280461387df87dda6bf84c7d755ebbbdc6123fd5659f9467

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6cd4a527-9415-47d7-afd1-a97409f6f995

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1254032

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/418744fa1ade539c280461387df87dda6bf84c7d755ebbbdc6123fd5659f9467/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=igduj6q23zjzykaeme4h36d53jv7qtd5ovplxpogci75kzm7srtq._file

Verdict:

unknown

NetSupport

28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8

NetSupport

368d74adbbf7fc8398d9bebe64f10275c0caac68703ccdb1c3cbef52fe7db900

NetSupport

39f85df74587155e28ea24e89d30dff0686c1f849df32b0a08a8c9838b623731

NetSupport

3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d

NetSupport

9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3

NetSupport

a16dacbab60ca49de99d2e5617a189dcb4b699577f6d66f1cccd96689de6947d

NetSupport

b41a4eb5971f4dd7b443bd68f92f6af92735d6db5a258e372d57b499882c866a

NetSupport

b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad

NetSupport

b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d

NetSupport

+ 131 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230614-c1ad3sch5z/

Unpacked files

SH256 hash:

418744fa1ade539c280461387df87dda6bf84c7d755ebbbdc6123fd5659f9467

MD5 hash:

877f5e83fb39de16fa8bbd93ba9f07f1

SHA1 hash:

4ccc61ba1722484042734579dff6c1a97bd37366

Link:

https://www.unpac.me/results/35abe119-364e-45f6-badc-860cd7fc34d0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/418744fa1ade539c280461387df87dda6bf84c7d755ebbbdc6123fd5659f9467

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_79906faf4fbd75baa10b322356a07f6d Create hunting rule
Author:	ditekSHen
Description:	Detects NetSupport (client) signed executables

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/398521/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample