MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173
SHA3-384 hash:	dfedf26216470005e4ceb5a78be7620971dd08c4a46d66eb63155cbf4226c4b8cd8abb9083a6d54ccd96c04f93ab2767
SHA1 hash:	08feb65fdcd6a8284297461c1afced9f769134c9
MD5 hash:	92d8cace3f5be94d54700290a22b01ab
humanhash:	white-illinois-nebraska-bravo
File name:	92d8cace3f5be94d54700290a22b01ab.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'693'236 bytes
First seen:	2023-02-13 09:55:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f3173778f088ce2b56b8257bfe393419 (6 x NetSupport, 1 x njrat, 1 x RedLineStealer)
ssdeep	49152:RJso4ozTdxkp92TMp2OX5yadksH1dSXnnGz2pU8E8SDJI4x:Reo5d6Ugp2IyadJH1dSXnGz2pU8Aaw
Threatray	475 similar samples on MalwareBazaar
TLSH	T17BC579432874C111C322BDF5F6E286F49CA96E26DA6DC20BA7C8FCA537FBD504129653
TrID	73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.6% (.SCR) Windows screen saver (13097/50/3) 2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	616955cc96b24d0f (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
79.132.132.129:3312

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

92d8cace3f5be94d54700290a22b01ab.exe

Verdict:

Malicious activity

Analysis date:

2023-02-13 10:01:27 UTC

Tags:

unwanted netsupport trojan

Link:

https://app.any.run/tasks/68b18eed-9c34-446f-aaaf-23bd454a3c37

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetSupport

Link:

https://www.capesandbox.com/analysis/364960/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL

PUA.Win.Packer.BorlandDelphiKo-1

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/68978/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware netsupportmanager overlay packed remoteadmin shell32.dll

Link:

https://www.filescan.io/uploads/63ea093519bdad8346357ebe/reports/04d18697-4e9e-4894-87a7-927fe4dd0670/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetSupport Ltd

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/046e4e9d-92e9-41d1-acb3-918149392907

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1173210

Signature

Antivirus detection for URL or domain

Found potential ransomware demand text

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173/

Threat name:

Win32.Trojan.Nekark

Status:

Malicious

First seen:

2023-02-07 10:54:12 UTC

File Type:

PE (Exe)

Extracted files:

461

AV detection:

17 of 39 (43.59%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i2e752rxdkyle7b3o5qk3got2wd6o4ftmqb7zl3zlzffyf566fzq._file

Verdict:

suspicious

NetSupport

5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a

NetSupport

6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8

NetSupport

c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f

NetSupport

db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856

NetSupport

fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5

NetSupport

+ 465 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/230213-lycwvsbg8y/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

NetSupport

Unpacked files

SH256 hash:

8f1b25652e49e5e4fb3ef2384109e45cf0284ebd2d9fcabd74557b732433cd48

MD5 hash:

3248a1b895481c8af930ec8f6ea04179

SHA1 hash:

fa963cdd3206c0a0eee2e7469c410a71bb4013e9

Link:

https://www.unpac.me/results/4757e13f-ac46-4f77-a1de-27a92653366c/

SH256 hash:

11bf2458d25ca8e6525b1f6859d5e48579220da0fe0b7f1b2269f4d0fac27705

MD5 hash:

097ac6c8d2a83493204e3441acf6ce6f

SHA1 hash:

7801d025415067f9cc571006ac4167417ec04e01

Link:

https://www.unpac.me/results/4757e13f-ac46-4f77-a1de-27a92653366c/

SH256 hash:

3775ff16c462c6272ddb4cdd15855d28b13b3613bd5a075a680fa8c22fd9d3dc

MD5 hash:

e390e5147b63307783b8357b4992a16e

SHA1 hash:

57284cfdd3becf144f57a0801f9281caaf2a3911

Link:

https://www.unpac.me/results/4757e13f-ac46-4f77-a1de-27a92653366c/

SH256 hash:

7d3067879347e67d9514613450d98b42b081454bbb89ab11dc02e9cd3bc5c802

MD5 hash:

3e5b3b0acc14a390b6daa382a3339c0e

SHA1 hash:

2e1226db6ce8de62ec05f3a18d1f9888205d496d

Link:

https://www.unpac.me/results/4757e13f-ac46-4f77-a1de-27a92653366c/

SH256 hash:

270fd6c110715d20be870a375120baf43bd07825366329c6f16d1dbf1c4365e0

MD5 hash:

3fe755b55ddfde30a9646d35a0e75a28

SHA1 hash:

2a64143f22ab34a2ec799999f6a59aa909e46f31

Link:

https://www.unpac.me/results/4757e13f-ac46-4f77-a1de-27a92653366c/

SH256 hash:

01956b7c1fdef594bd0c88b31ba29f6d6602102f0eb88ed47496635528a3a5e9

MD5 hash:

cb65b10a910af360104272ae1d17bdad

SHA1 hash:

0a46e13839942d89255b75ddcf2ffbd187831dbb

Link:

https://www.unpac.me/results/4757e13f-ac46-4f77-a1de-27a92653366c/

SH256 hash:

4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173

MD5 hash:

92d8cace3f5be94d54700290a22b01ab

SHA1 hash:

08feb65fdcd6a8284297461c1afced9f769134c9

Link:

https://www.unpac.me/results/4757e13f-ac46-4f77-a1de-27a92653366c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NetSupportManager RAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/364960/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample