MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c5ef223c061bcda14cb952d54e500c62d6b606222487dee334b3766bfb85449. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c5ef223c061bcda14cb952d54e500c62d6b606222487dee334b3766bfb85449
SHA3-384 hash: 7d6567faebfd0d13531f8f3edcf4ba3ce0d1998a148c38c0453f677732ed58474da432f07e99563c6788e58a92e0ee7d
SHA1 hash: af2c2fb756eb69ba8f94e85a08da167dd3387fea
MD5 hash: bdfa8bc2ad2d79924dbc9f7a8037086a
humanhash: berlin-bacon-rugby-diet
File name:BDFA8BC2AD2D79924DBC9F7A8037086A.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'764'126 bytes
First seen:2021-09-05 18:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:t4nXubIQGyxbPV0db26WK7qKnKsv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdON:tqe3f6D5jSffPMWrQ0ZkS
TLSH T1B685C03FF268A53EC45A1B3245B39250997BBA60B81A8C1F07FC384DCF765601E3B656
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
5.45.83.127:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.45.83.127:1203 https://threatfox.abuse.ch/ioc/216209/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BDFA8BC2AD2D79924DBC9F7A8037086A.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-05 18:11:30 UTC
Tags:
installer
Link:
https://app.any.run/tasks/8ee3a754-64db-4512-8654-c79589bfeb12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185460/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Win.Dropper.NetSupportManager-9873726-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5dff4b4-c188-4139-894d-b56ce738f22d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
44 / 100
Link:
https://www.joesandbox.com/analysis/845584
Signature
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sigma detected: Logon Scripts (UserInitMprLogonScript)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478015 Sample: J9DkNGzJzU.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 44 89 www.happybrewfriends.com 2->89 91 www.allroadslimit.com 2->91 93 19 other IPs or domains 2->93 121 Multi AV Scanner detection for domain / URL 2->121 123 Antivirus detection for URL or domain 2->123 125 Multi AV Scanner detection for submitted file 2->125 127 2 other signatures 2->127 12 J9DkNGzJzU.exe 2 2->12         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\J9DkNGzJzU.tmp, PE32 12->87 dropped 15 J9DkNGzJzU.tmp 3 23 12->15         started        process6 dnsIp7 105 findmemolite.com 46.101.214.246 DIGITALOCEAN-ASNUS Netherlands 15->105 107 ingstorage.com 5.182.39.145, 49703, 80 ALEXHOSTMD Russian Federation 15->107 109 st.priceyam.xyz 15->109 61 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 15->61 dropped 63 C:\Users\user\AppData\Local\...\setup_1.exe, PE32 15->63 dropped 65 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 15->65 dropped 67 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->67 dropped 119 Performs DNS queries to domains with low reputation 15->119 20 setup_0.exe 2 15->20         started        file8 signatures9 process10 file11 69 C:\Users\user\AppData\Local\...\setup_0.tmp, PE32 20->69 dropped 23 setup_0.tmp 26 21 20->23         started        process12 file13 79 C:\Users\user\AppData\...\vdi_compiler.exe, PE32 23->79 dropped 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->81 dropped 83 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 23->83 dropped 85 10 other files (none is malicious) 23->85 dropped 129 Obfuscated command line found 23->129 27 cmd.exe 1 23->27         started        29 cmd.exe 13 23->29         started        31 svrwebui.exe 1 17 23->31         started        35 2 other processes 23->35 signatures14 process15 dnsIp16 37 expand.exe 24 27->37         started        40 conhost.exe 27->40         started        42 chrome.exe 29->42         started        46 conhost.exe 29->46         started        111 teamfourone.xyz 5.45.83.127 RECONNRU Russian Federation 31->111 113 geography.netsupportsoftware.com 195.171.92.116 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 31->113 115 geo.netsupportsoftware.com 31->115 117 Performs DNS queries to domains with low reputation 31->117 48 reg.exe 1 1 35->48         started        50 conhost.exe 35->50         started        52 WerFault.exe 35->52         started        54 4 other processes 35->54 signatures17 process18 dnsIp19 71 C:\ProgramData\...\svrwebui.exe (copy), PE32 37->71 dropped 73 C:\ProgramData\...\remcmdstub.exe (copy), PE32 37->73 dropped 75 C:\ProgramData\...\pcicapi.dll (copy), PE32 37->75 dropped 77 13 other files (none is malicious) 37->77 dropped 101 192.168.2.1 unknown unknown 42->101 103 239.255.255.250 unknown Reserved 42->103 131 Writes to foreign memory regions 42->131 56 chrome.exe 42->56         started        59 chrome.exe 42->59         started        133 Creates an undocumented autostart registry key 48->133 file20 signatures21 process22 dnsIp23 95 clients.l.google.com 142.250.203.110 GOOGLEUS United States 56->95 97 googlehosted.l.googleusercontent.com 142.250.203.97 GOOGLEUS United States 56->97 99 9 other IPs or domains 56->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c5ef223c061bcda14cb952d54e500c62d6b606222487dee334b3766bfb85449/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 04:40:00 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lrppei6amg6nufglsuwvjziayywwwydcejeh33rtjm3wnp5ykreq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210905-wsla6ahgc5/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/cdf51289-d6f5-4be0-a445-42721c6c24ff/
SH256 hash:
457941f0427b98ac8fa422808bcc128891b7a7c9c62bef0aa1e8602928b87842
MD5 hash:
2c117928838a0f385316df3042380673
SHA1 hash:
53acfffd2b3dc0b2ce097da4f16dbfb54f41149d
Link:
https://www.unpac.me/results/cdf51289-d6f5-4be0-a445-42721c6c24ff/
SH256 hash:
5c5ef223c061bcda14cb952d54e500c62d6b606222487dee334b3766bfb85449
MD5 hash:
bdfa8bc2ad2d79924dbc9f7a8037086a
SHA1 hash:
af2c2fb756eb69ba8f94e85a08da167dd3387fea
Link:
https://www.unpac.me/results/cdf51289-d6f5-4be0-a445-42721c6c24ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c5ef223c061bcda14cb952d54e500c62d6b606222487dee334b3766bfb85449

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185460/

Comments