MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5790657ab5aa69e05dcbf56d1d202bcd11a0cdf197afabe5ec7b8586f6ddf0e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 6

Intelligence 6 IOCs YARA 10 File information Comments

SHA256 hash:	5790657ab5aa69e05dcbf56d1d202bcd11a0cdf197afabe5ec7b8586f6ddf0e8
SHA3-384 hash:	eaf8e97f3a825c605ea2bf406808a754240633fe83396595f30dc6edc9898a3fae8d748e471b9f0dfa8a0d5f54f0b109
SHA1 hash:	25b37de55372d52291317f1a07d1ec0121994226
MD5 hash:	031187efe012a333fdabb89ad0c5d411
humanhash:	foxtrot-stream-xray-oregon
File name:	en-win-update.msi
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	14'599'168 bytes
First seen:	2023-08-10 19:23:39 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	393216:V2ajq5X3pHvX5Njc+p/w3/D4tmrzeOwExxAzT:IGaXdLcww3Vrzen3v
Threatray	1 similar samples on MalwareBazaar
TLSH	T179E62325B59BC932D22D067BF868FE5E06393F724B3105F776F839AA18B0CC15271A46
TrID	77.3% (.MSI) Microsoft Windows Installer (454500/1/170) 10.3% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.5% (.MSP) Windows Installer Patch (44509/10/5) 3.3% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2) 1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	rmceoin
Tags:	94-156-6-111 FakeSG msi NetSupport signed

Code Signing Certificate

Organisation:	VOVSOFT
Issuer:	VOVSOFT
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-08-05T17:23:13Z
Valid to:	2024-08-05T17:43:13Z
Serial number:	6b247636ad14639449afd0c7687fad2a
Thumbprint Algorithm:	SHA256
Thumbprint:	3902e5a3c06b1c479d8c5e97b00e878412d1c5c14a33cff6ce5887e8e66da1da
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

rmceoin

Compromised site
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
sterlingfundinginc[.]com/wp-content/uploads/2023/03/en-local(downloader-upd)silent.zip
-->
sterlingfundinginc[.]com/wp-content/uploads/2022/03/en-win-update.msi
-->
NetSupport GatewayAddress 94[.]156.6.111:443

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

Vendor Threat Intelligence

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/5790657ab5aa69e05dcbf56d1d202bcd11a0cdf197afabe5ec7b8586f6ddf0e8

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/5790657ab5aa69e05dcbf56d1d202bcd11a0cdf197afabe5ec7b8586f6ddf0e8

Result

Threat name:

n/a

Detection:

suspicious

Classification:

n/a

Score:

30 / 100

Link:

https://www.joesandbox.com/analysis/1289649

Signature

PE file has a writeable .text section

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5790657ab5aa69e05dcbf56d1d202bcd11a0cdf197afabe5ec7b8586f6ddf0e8/

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2023-08-07 19:07:24 UTC

File Type:

Binary (Archive)

Extracted files:

158

AV detection:

5 of 24 (20.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k6igk6vvvju6axol6vwr2iblzui2btprs6x2xzpmpocyn5w56dua._file

Verdict:

unknown

NetSupport

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/230810-x4czlagg34/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5790657ab5aa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NetSupportManager RAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5790657ab5aa69e05dcbf56d1d202bcd11a0cdf197afabe5ec7b8586f6ddf0e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

msi 5790657ab5aa69e05dcbf56d1d202bcd11a0cdf197afabe5ec7b8586f6ddf0e8

(this sample)

Link

https://infosec.exchange/@rmceoin/110866230355761534

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2703684/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample