MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18
SHA3-384 hash:	c2a30643d1315e627040b92cd3fdb75234361dd838557df157a29aeb078674d7094127ae3d56c482ea27883c7aefc724
SHA1 hash:	5d77bc64d5b61750022b4201a4d7456a6cf7b263
MD5 hash:	288ef7708fc85bccfb47c21943727b39
humanhash:	california-music-lamp-beryllium
File name:	288EF7708FC85BCCFB47C21943727B39.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	4'704'808 bytes
First seen:	2021-06-24 19:21:32 UTC
Last seen:	2021-08-05 08:01:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	98304:dmzPiNNHQ42a7cMKDjC7IwLkPBNWb4otN3bBSB:8eNHPVAMmjC1QUb4otdle
Threatray	634 similar samples on MalwareBazaar
TLSH	AB263323B9A58D72C93324334669BB496D3679301F54CB7EA3C10D2DD7716E2A318AB3
Reporter	abuse_ch
Tags:	exe Knassar DK ApS NetSupport

abuse_ch

NetSupport C2:
62.173.149.200:1337

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
62.173.149.200:1337	https://threatfox.abuse.ch/ioc/153442/

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

288EF7708FC85BCCFB47C21943727B39.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-24 19:24:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f76b32a4-7ce8-4ca3-8ef2-83ce8df7b4c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/168132/

Detection(s):

Win.Malware.Generic-9872030-0

Win.Malware.Generic-9874383-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a66e7da-7754-46ef-8f61-b6a54b6dc0cc

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

42 / 100

Link:

https://www.joesandbox.com/analysis/807724

Signature

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2021-06-24 19:22:19 UTC

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mee73qbfjtppyfdc3rvekpwm4hgxbwfvgobc2oqrxzbgatvupima._file

Verdict:

malicious

NetSupport

07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e

NetSupport

46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd

NetSupport

672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca

NetSupport

68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345

NetSupport

86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b

NetSupport

9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3

NetSupport

ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91

NetSupport

fd8d8b2d1513fe8e59d21e96e5f66695bbca33b6f4f9b1561136196db97b9bde

NetSupport

fe271b4266e4d1da6cd411a99f35ef14bba6e93354d43f4b790008d9222e0ba7

NetSupport

+ 624 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/210624-556yyjv5ex/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Loads dropped DLL

Executes dropped EXE

NetSupport

Unpacked files

SH256 hash:

25a6b49a3886d0c4c95427cbf65576241cf6c79b6f4ac8cf98c0f4c5cd11eae2

MD5 hash:

13359f2ce34a0fcb7b826b1699cba1b7

SHA1 hash:

43e74b681e1f54dadd575b08291c85291cbb847b

Link:

https://www.unpac.me/results/a2c3ebc8-fbc7-4b64-9389-6b5fa3c86fb9/

SH256 hash:

aa2e9b395f2332dc12717f9e9e2b627cfa2969f9ad07128e6560303069f6386d

MD5 hash:

e600e015fc78dac19a8f952a1f9ee99c

SHA1 hash:

867fd59612c111a2d060fca90e53bae1e0cc45ac

Link:

https://www.unpac.me/results/a2c3ebc8-fbc7-4b64-9389-6b5fa3c86fb9/

SH256 hash:

6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18

MD5 hash:

288ef7708fc85bccfb47c21943727b39

SHA1 hash:

5d77bc64d5b61750022b4201a4d7456a6cf7b263

Link:

https://www.unpac.me/results/a2c3ebc8-fbc7-4b64-9389-6b5fa3c86fb9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/168132/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample