MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 463e3a3781754963ddd5b65b237ed60d56dd58182abf25e3a3093fadfb68349f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 463e3a3781754963ddd5b65b237ed60d56dd58182abf25e3a3093fadfb68349f
SHA3-384 hash: 688dc041c9786fe1fa20234ac6af40b75c9b3b1d20412860fe5e24403bca9167577c728670a5683e748d93a6f9be4abc
SHA1 hash: 868f5d1e1d60b00178679dd6b006aac2a7d8eca5
MD5 hash: bee129f1cc4bccacd607f73735564d77
humanhash: papa-india-neptune-ack
File name:bee129f1cc4bccacd607f73735564d77.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'604'616 bytes
First seen:2023-07-22 07:02:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 17271304419eb299ee7ef7a9bddb90d4 (1 x NetSupport)
ssdeep 24576:bsv556Cux3LfT3AwCXSzww19rehwcwNvs/21CPf/VqlOBh9paD4z17iY6zUzby5g:y5GcaehwJN4f/QlOBhGCY4e59z4xg6
Threatray 302 similar samples on MalwareBazaar
TLSH T1ADF5058221CC0181DF6A7134B6AD3AD4D936E4E80F1889EB3FB491D99ADFDE217F5214
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 3169ccccc4f1f179 (2 x Stealc, 1 x NetSupport, 1 x njrat)
Reporter abuse_ch
Tags:exe NetSupport unclesrug31-com unclesrug32-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
bee129f1cc4bccacd607f73735564d77.exe
Verdict:
Malicious activity
Analysis date:
2023-07-22 07:04:26 UTC
Tags:
unwanted netsupport remote
Link:
https://app.any.run/tasks/aa22ef24-97b8-4467-874a-7799080b6f3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/428410/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.21439.12204.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/463e3a3781754963ddd5b65b237ed60d56dd58182abf25e3a3093fadfb68349f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c2f77532-bc79-4b31-b59d-9105c154d644
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1277682
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277682 Sample: mitljPgJ0K.exe Startdate: 22/07/2023 Architecture: WINDOWS Score: 92 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus detection for URL or domain 2->50 52 Uses known network protocols on non-standard ports 2->52 8 mitljPgJ0K.exe 1 2->8         started        12 client32.exe 2->12         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\????????c, PE32 8->26 dropped 54 Query firmware table information (likely to detect VMs) 8->54 56 Contains functionality to inject code into remote processes 8->56 58 Writes to foreign memory regions 8->58 60 2 other signatures 8->60 14 ????????c 28 8->14         started        signatures5 process6 dnsIp7 42 sweetyporn.org 176.111.174.168, 49692, 80 WILWAWPL Russian Federation 14->42 28 C:\Users\user\AppData\...\remcmdstub.exe, PE32 14->28 dropped 30 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 14->30 dropped 32 C:\Users\user\AppData\...\client32.exe, PE32 14->32 dropped 34 6 other files (none is malicious) 14->34 dropped 44 Uses schtasks.exe or at.exe to add and modify task schedules 14->44 19 client32.exe 17 14->19         started        22 schtasks.exe 1 14->22         started        file8 signatures9 process10 dnsIp11 36 unclesrug31.com 185.209.30.136, 1212, 49693 VDSINA-ASRU Russian Federation 19->36 38 geography.netsupportsoftware.com 51.142.119.24, 49694, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 19->38 40 2 other IPs or domains 19->40 24 conhost.exe 22->24         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/463e3a3781754963ddd5b65b237ed60d56dd58182abf25e3a3093fadfb68349f/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-22 07:03:07 UTC
File Type:
PE+ (Exe)
Extracted files:
16
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iy7dun4bovewhxovwznsg7wwbvln2wayfk7sly5dbe72363igspq._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993
NetSupport
2174b4c58eb43aac8e5e0061ff0bc45125f4cb64404d552fe25ea6ac1777113d
NetSupport
336805e47329a9349dd7e1a2213913f5c4873fa85c812d29b9c9f6c540d8e082
NetSupport
428b05b5e7b7afddd15ea63fde166cf2e30fede6afc3bc2cd40910ee198920e6
NetSupport
634ac4680c24d64b0de470e429352a993ef6d1885577311b1157d36ec8d3419c
NetSupport
afadfea05a60c5090213324056b71ac29d7175dee54b35d78ed0854b872778e1
NetSupport
b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514
NetSupport
db4e5406cdd9e4a25d9a7363318b653140701ad62c39654b974644e4110d6444
NetSupport
e21c17ca8f06ee6bb4043d50be7474a92daf89d6ad5b3126d634ea1a23900533
NetSupport
f25783f385c6758f3926d12325e63b34240f4586092afdfe9fca577c1be70a0c
NetSupport
+ 292 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230722-hvcj5shh53/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
463e3a3781754963ddd5b65b237ed60d56dd58182abf25e3a3093fadfb68349f
MD5 hash:
bee129f1cc4bccacd607f73735564d77
SHA1 hash:
868f5d1e1d60b00178679dd6b006aac2a7d8eca5
Link:
https://www.unpac.me/results/a041a272-445c-4f36-84aa-d2acc808ede7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/463e3a3781754963ddd5b65b237ed60d56dd58182abf25e3a3093fadfb68349f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/428410/

Comments