MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45eaf956ae85dd33e34ff4ee1413442d5d05017aa949de02a382a9317c9ed6e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 4


Intelligence 4 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45eaf956ae85dd33e34ff4ee1413442d5d05017aa949de02a382a9317c9ed6e2
SHA3-384 hash: 7926b6082162802eebb70c633cce77b7e15350b532abc5445346e3e527a239ae4133aae594f26dee25738b305b9a038d
SHA1 hash: f3071a5fc819b6b67a37fd7acffed5d91fa1ba72
MD5 hash: d6bc232e310d6f41ed4a929bcce9d59b
humanhash: sierra-table-carbon-kansas
File name:netsupport25.zip
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'245'197 bytes
First seen:2024-05-01 19:58:51 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:vPi6BRnmSnTpUDCNIsyYPPluW9z/BqIQZfW4OCayzzB6q8G9Y3MQQXSK87X6w08G:/z3TpHNIsvPIW9zgIKfqifFa8Z8dRMCy
TLSH T13BA5337DFA5C6CB9C05B95F651E87B2411EC7B61B2CC25E1238611F8CEA8A904FDE02D
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter NDA0E
Tags:109-107-170-126 193-233-206-23 NetSupport zip


Avatar
NDA0E
https://eprst251.boo/files/netsupport25.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
NL NL
File Archive Information

This file archive contains 15 file(s), sorted by their relevance:

File name:client32.ini
File size:672 bytes
SHA256 hash: 2ac94a594e8583574f9a16dca49b68947e5caeac3afc6b35f59f5b8a2a819d94
MD5 hash: b195a5ef0d805dd2acfb38e5df63b63f
MIME type:text/plain
Signature NetSupport
File name:nskbfltr.inf
File size:328 bytes
SHA256 hash: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash: 26e28c01461f7e65c402bdf09923d435
MIME type:application/x-setupscript
Signature NetSupport
File name:HTCTL32.DLL
File size:328'056 bytes
SHA256 hash: edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
MD5 hash: 2d3b207c8a48148296156e5725426c7f
MIME type:application/x-dosexec
Signature NetSupport
File name:string.txt
File size:82 bytes
SHA256 hash: 19ff8dcd9b6ed40cd5fbc526a302417ef745b571f6023f9394a626be7bf1e478
MD5 hash: d25162ccb3627e51b675f2c8c88939af
MIME type:application/octet-stream
Signature NetSupport
File name:TCCTL32.DLL
File size:391'832 bytes
SHA256 hash: 092c3ec01883d3b4b131985b3971f7e2e523252b75f9c2470e0821505c4a3a83
MD5 hash: 405a7bca024d33d7d6464129c1b58451
MIME type:application/x-dosexec
Signature NetSupport
File name:AudioCapture.dll
File size:93'560 bytes
SHA256 hash: a74612ae5234d1a8f1263545400668097f9eb6a01dfb8037bc61ca9cae82c5b8
MD5 hash: 4182f37b9ba1fa315268c669b5335dde
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICHEK.DLL
File size:18'808 bytes
SHA256 hash: 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
MD5 hash: a0b9388c5f18e27266a31f8c5765b263
MIME type:application/x-dosexec
Signature NetSupport
File name:msvcr100.dll
File size:773'968 bytes
SHA256 hash: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash: 0e37fbfa79d349d672456923ec5fbbe3
MIME type:application/x-dosexec
Signature NetSupport
File name:pcicapi.dll
File size:33'144 bytes
SHA256 hash: 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
MD5 hash: dcde2248d19c778a41aa165866dd52d0
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICL32.DLL
File size:3'710'280 bytes
SHA256 hash: 07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4
MD5 hash: ad51946b1659ed61b76ff4e599e36683
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.LIC
File size:259 bytes
SHA256 hash: f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2
MD5 hash: 1dc87146379e5e3f85fd23b25889ae2a
MIME type:text/plain
Signature NetSupport
File name:nsm_vpro.ini
File size:46 bytes
SHA256 hash: 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
MD5 hash: 3be27483fdcdbf9ebae93234785235e3
MIME type:text/plain
Signature NetSupport
File name:client32.exe
File size:55'456 bytes
SHA256 hash: 1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89
MD5 hash: 9497aece91e1ccc495ca26ae284600b9
MIME type:application/x-dosexec
Signature NetSupport
File name:remcmdstub.exe
File size:63'320 bytes
SHA256 hash: 89027f1449be9ba1e56dd82d13a947cb3ca319adfe9782f4874fbdc26dc59d09
MD5 hash: 35da3b727567fab0c7c8426f1261c7f5
MIME type:application/x-dosexec
Signature NetSupport
File name:2
File size:346 bytes
SHA256 hash: 49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
MD5 hash: 24d3b502e1846356b0263f945ddd5529
MIME type:text/plain
Signature NetSupport
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.6938.15409.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.11410.22550.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.26913.7397.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.23370.1523.UNOFFICIAL
Create hunting rule

PUA.Win.Tool.NetSupport-10022498-8
Create hunting rule

PUA.Win.Adware.Outbrowse-6628770-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/66329f11e5dfa30836f1f4d4/reports/4f096c2f-765c-4e46-86bb-7dd3114f2c77/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/45eaf956ae85dd33e34ff4ee1413442d5d05017aa949de02a382a9317c9ed6e2
Score:
11%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/45eaf956ae85dd33e34ff4ee1413442d5d05017aa949de02a382a9317c9ed6e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45eaf956ae85dd33e34ff4ee1413442d5d05017aa949de02a382a9317c9ed6e2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixvpsvvoqxothy2p6txbie2efvoqkal2vfe54avdqkutc7e623ra._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/240502-a88whaec65/
Behaviour
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

zip bdd89826ab8d3e3c03833b1ea8e4b0a34c80f13bfa5882e5b82f896cec41d141

NetSupport

zip 45eaf956ae85dd33e34ff4ee1413442d5d05017aa949de02a382a9317c9ed6e2

(this sample)

  
Dropped by
SHA256 bdd89826ab8d3e3c03833b1ea8e4b0a34c80f13bfa5882e5b82f896cec41d141
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2834638/
  
URLhaus
https://urlhaus.abuse.ch/url/2834641/
  
URLhaus
https://urlhaus.abuse.ch/url/2834642/
  
URLhaus
https://urlhaus.abuse.ch/url/2834645/
  
Dropped by
MD5 c50aa8af85636796521e490b2e0b34dd

Comments