MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7
SHA3-384 hash: 79055e9f1513ea9de0e64e7248cfae14ef4e3e639128d6e78fd3a3d9e32eb5b909ac3a7e60b076faf2e8f455522413d6
SHA1 hash: 4a0d251ed5db7ec8bf4f5334d11d0c35549eb4a9
MD5 hash: c82f6b6c65e9617b6af32028c9d9b793
humanhash: lake-moon-paris-avocado
File name:C82F6B6C65E9617B6AF32028C9D9B793.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'307'832 bytes
First seen:2021-08-05 05:16:07 UTC
Last seen:2021-08-05 08:19:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 77f81ec12eacdb769388a8e410647817 (1 x NetSupport, 1 x PrivateLoader)
ssdeep 49152:reQeN/IirV+a2YCSdZeCP6OYKphcmX90ur7SnkGPgvNLc+:reh/DAa2VcbSOYUqmWurEkGPURc+
TLSH T1DAB533735D0C84D6EBD77870F00BE77169767EA20222C4ADA3B6498D923FAC24DB5097
dhash icon 71f0c08888c0e070 (9 x SnakeKeylogger, 9 x AgentTesla, 8 x AsyncRAT)
Reporter abuse_ch
Tags:exe NetSupport PRO SAT SRL signed

Code Signing Certificate

Organisation:PRO SAT SRL
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-07-27T00:00:00Z
Valid to:2023-07-27T23:59:59Z
Serial number: 0e8aa328af207ce8bcae1dc15c626188
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 226d9c5f4ee36d6d47013f2cadbc98e19b2a1b62acb0a0db1d5795dddddd1521
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
NetSupport C2:
46.161.40.59:3085

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.161.40.59:3085 https://threatfox.abuse.ch/ioc/165750/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C82F6B6C65E9617B6AF32028C9D9B793.exe
Verdict:
No threats detected
Analysis date:
2021-08-05 05:19:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0baaef05-3196-445b-a71b-d0e993355bbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176507/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Pseudosigner-36
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.5527.6438.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.BorlandDelphiKo-1
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Creating a file
Modifying a system file
Moving a recently created file
Creating a process from a recently created file
Deleting a recently created file
Sending a UDP request
Creating a window
Searching for the window
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Connection attempt to an infection source
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/491f1a1b-43b5-4307-859c-0742998bdc52
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/827889
Signature
Creates an undocumented autostart registry key
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Logon Scripts (UserInitMprLogonScript)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 20:50:56 UTC
File Type:
PE (Exe)
Extracted files:
471
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ix7wexyxuhu22zo5stbxma2bjdlnr3xiuqnrecpvm2uqp5ow23dq._file
Verdict:
unknown
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/210805-3st68nx81n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
aee53e51e916c20dfa4fa734456a3a15bb9b3cfcf1ce1af63034fe51c5cebee2
MD5 hash:
70dc5ed382ad2659278b1ff256e6b14e
SHA1 hash:
cdefdc7ab2c9e96882713f445e45b3d29407d3ce
Link:
https://www.unpac.me/results/be10e0fb-38f0-451d-830e-1a96ccbd72b2/
SH256 hash:
1e7ccc646d0937e61799e38eb7f3ed3fb31d1b669bcbd08dc1823822f04a9e59
MD5 hash:
1c2f246037962715fcdb9f064f4853f7
SHA1 hash:
cabcf8421da9a5e16f0eda7b66d9dca2a187c549
Link:
https://www.unpac.me/results/be10e0fb-38f0-451d-830e-1a96ccbd72b2/
SH256 hash:
9dd994694200780c9c395c8fb08c6b6055c2107df52b23654c95e24c42fd57fa
MD5 hash:
723cab3bc70833a3e2a6d60573c0d34d
SHA1 hash:
bca468b3988930351b288bf41135b945c7da8597
Link:
https://www.unpac.me/results/be10e0fb-38f0-451d-830e-1a96ccbd72b2/
SH256 hash:
ffa79446ba52ab0212c7978aede8e289eef69f4c53244af780b07fd9e2447d31
MD5 hash:
e4ca7e5fb11251e243a849c519ec450c
SHA1 hash:
a316ae976754c98f1824c495ee8e81468b2114cf
Link:
https://www.unpac.me/results/be10e0fb-38f0-451d-830e-1a96ccbd72b2/
SH256 hash:
a494dcddcd3a4c6b09911da2c41542cd41123387a8a7909c9bc0326348f5d99e
MD5 hash:
d931b6ff6ff5721f35078c9b592b33ef
SHA1 hash:
3916ea0b97c39b27be4a8cac11f9b92850dfabe4
Link:
https://www.unpac.me/results/be10e0fb-38f0-451d-830e-1a96ccbd72b2/
SH256 hash:
c0bd3dba48e7553d17a742fd91f4694a01ff963dce5fc9717581043312988b00
MD5 hash:
fa1b1c5f7637e9f2251460ecb29ee52a
SHA1 hash:
2a6b6806a3ff3e4de631bffff6fb05f7d0cc26f2
Link:
https://www.unpac.me/results/be10e0fb-38f0-451d-830e-1a96ccbd72b2/
SH256 hash:
45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7
MD5 hash:
c82f6b6c65e9617b6af32028c9d9b793
SHA1 hash:
4a0d251ed5db7ec8bf4f5334d11d0c35549eb4a9
Link:
https://www.unpac.me/results/be10e0fb-38f0-451d-830e-1a96ccbd72b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe 45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/176507/
  
URLhaus
https://urlhaus.abuse.ch/url/1507286/
  
Delivery method
Distributed via web download

Comments