MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a
SHA3-384 hash:	68f5de7aa60c5907698a031935202a04adde5e33f7113c98d099868c58fa1fb9748722e2603530468b380190dc78bfa1
SHA1 hash:	42c7078f09483ecff188ecd45873b53d6f57fb28
MD5 hash:	5aa737c4b2322a7b99a3fdfb09be63b5
humanhash:	lamp-low-dakota-mississippi
File name:	5aa737c4b2322a7b99a3fdfb09be63b5.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'557'225 bytes
First seen:	2022-11-15 20:05:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f3173778f088ce2b56b8257bfe393419 (6 x NetSupport, 1 x njrat, 1 x RedLineStealer)
ssdeep	49152:Dbsorozidxkp92TMp2OGjyadksH1dSXnnGz2pU8E8SDZI4z:DIoxd6Ugp27yadJH1dSXnGz2pU8A6g
TLSH	T170C5231378C48072E9B699B18E15E262FA78BC353265854BB7C8037F3D355A09723B3B
TrID	73.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 8.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.6% (.SCR) Windows screen saver (13097/50/3) 2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	d2f2d8ccd4f0f0cc (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
89.39.106.36:3010

Intelligence

File Origin

# of uploads :

# of downloads :

218

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

5aa737c4b2322a7b99a3fdfb09be63b5.exe

Verdict:

Malicious activity

Analysis date:

2022-11-15 20:07:59 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/66d90f0d-0c26-43f7-bf25-336d556f954e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/334485/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL

PUA.Win.Packer.Pseudosigner-36

PUA.Win.Packer.BorlandDelphiKo-1

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed remoteadmin shell32.dll

Link:

https://www.filescan.io/uploads/6373f12cf75d59fef0b97e99/reports/f405bdd3-fe24-408d-a0f1-ab76888fb58a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5af3a036-3e30-4017-be42-83adb35b98eb

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1114229

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2022-11-13 09:57:45 UTC

File Type:

PE (Exe)

Extracted files:

478

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lj66gyn4yd7vaphzoqbdkr4fhk7hjsf4gnv42beyhxkcuonuafna._file

Verdict:

malicious

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/221115-yvd1zaff52/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2b5ac191-13d7-4d51-9caa-dbababa7e980

Unpacked files

SH256 hash:

12db9879d330d8ead90ce8870c5b73edc6bfed28c7125bfb68ed22a1c8b18137

MD5 hash:

f681cc6120775e6e5097ceb00847c2a3

SHA1 hash:

f0e00c754a43e9c28ade2fb2159f89d5dcd92606

Link:

https://www.unpac.me/results/1343adfc-1f92-4414-9fc0-32344daea619/

SH256 hash:

fc8556900dd9583a376edf32b159594d70f996fa37767326d2fb4aea8f7330c6

MD5 hash:

1d13182dcfc79c8af83f6dc45603e923

SHA1 hash:

d9e7e3fc93ef0ce7de8cc338591d380d01c2dcf1

Link:

https://www.unpac.me/results/1343adfc-1f92-4414-9fc0-32344daea619/

SH256 hash:

cd2ca2808528bfc90f08a48c73ae52f395e2f7f2d9af867f2918bdd41aecb7be

MD5 hash:

b70c48798792b8845f5eb94cb34de0bd

SHA1 hash:

60856b380bde702b9b54e1e30438d487e66b522f

Link:

https://www.unpac.me/results/1343adfc-1f92-4414-9fc0-32344daea619/

SH256 hash:

9eaab4eb67aa803edc4d68bda32c00e08742c2fcf55a9f38f48efa9954c57bfc

MD5 hash:

08bef242888db02e0241e8df6ca52c22

SHA1 hash:

4e9cee689d889b0b650926fe1a52f887301ff596

Link:

https://www.unpac.me/results/1343adfc-1f92-4414-9fc0-32344daea619/

SH256 hash:

1d6b14fbfec8298aa5116a2ff1ba153478769c505a1328a185343db4536ddb51

MD5 hash:

222b6ef9f902bd06229753da535147c4

SHA1 hash:

43a5d18569d20cc18f9af22e746b7f5a6c5196b2

Link:

https://www.unpac.me/results/1343adfc-1f92-4414-9fc0-32344daea619/

SH256 hash:

fc932c1f9b8771feff5a139999c6e8f2b9058b908e09ac750e9b379e8801928c

MD5 hash:

e3f054920b8f76ad950f01911bef3aca

SHA1 hash:

0c3b4b47fd465d415b5ac9e8144eff50ff52fa9a

Link:

https://www.unpac.me/results/1343adfc-1f92-4414-9fc0-32344daea619/

SH256 hash:

5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a

MD5 hash:

5aa737c4b2322a7b99a3fdfb09be63b5

SHA1 hash:

42c7078f09483ecff188ecd45873b53d6f57fb28

Link:

https://www.unpac.me/results/1343adfc-1f92-4414-9fc0-32344daea619/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NetSupportManager RAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334485/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample