MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 1 File information Comments

SHA256 hash:	64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784
SHA3-384 hash:	3fd0e26c5309b58e770b124d8eec9542982232de7e81ffcc9b5c072fdc4f65060648f4bbdf4e8fc8775f0ca04d7d8c29
SHA1 hash:	a22a3aac21d6d8fee0cfd54ef0da078f222eb2a1
MD5 hash:	c8620b87b853cad801d8a3ac4ee294ef
humanhash:	carpet-jersey-jig-summer
File name:	64311876870149D62508EE333C179725755F897F1D2E5.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'499'284 bytes
First seen:	2022-03-24 16:22:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf8e93937f9e7494ce0335cf5d059356 (8 x NetSupport)
ssdeep	49152:NynH16ehafNELosC+o3XwOImS8qJjPE0Ro0GAZa//VRzuA4GJ8VAG:NyHfhalEu+3P7xEeGAZyVVuQJgN
Threatray	116 similar samples on MalwareBazaar
TLSH	T111C533B69BED40B7CC3542301EB56A30CA79BC3443FEF919DBD2421B26A17A9C617712
File icon (PE):
dhash icon	b2e0e0d0f1cdd4d4 (2 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
185.87.49.233:5538

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.87.49.233:5538	https://threatfox.abuse.ch/ioc/446917/

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

e50d2760-4528-402e-8191-543bb91a5c2d.tmp

Verdict:

Malicious activity

Analysis date:

2022-01-02 19:37:07 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/4666371e-870e-4323-ba3a-142bc014be18

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetSupport

Link:

https://www.capesandbox.com/analysis/257233/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.17168.28161.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.11410.22550.UNOFFICIAL

PUA.Win.Packer.Pseudosigner-36

SecuriteInfo.com.Program.RemoteAdmin.837.26913.7397.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.23370.1523.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3834.24092.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.8440.9194.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.17585.19372.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Launching a process

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11167/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm greyware overlay packed remoteadmin shell32.dll update.exe

Link:

https://www.filescan.io/uploads/623c9aeadfdfa8501cd9a26e/reports/8d384a0c-ef7e-4e08-9499-fc86081912ca/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/18eb0c30-c1cb-424e-a36d-0f0d231a4347

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/963877

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2021-11-30 08:29:21 UTC

File Type:

PE (Exe)

Extracted files:

460

AV detection:

21 of 42 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mqyrq5uhafe5mjii5yztyf4xev2v7cl7duxfbvj3yt4f2mw546ca._file

Verdict:

malicious

NetSupport

2ae575f006fc418c72a55ec5fdc26bc821aa3929114ee979b7065bf5072c488f

NetSupport

4462791b16636d3c286bd48038c417dc8341904b676840aa5ee638380f133d07

NetSupport

48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a

NetSupport

9d1bc81d3ef2b925df9091ad231cb10d3a9a1cfce0dc75f6c419b3d605e452c1

NetSupport

+ 106 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/220324-tvs3nsgahn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Unpacked files

SH256 hash:

1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202

MD5 hash:

f525bd5dcec08be37a94d743d345be14

SHA1 hash:

ed1485111b370e0f75c004c5b253d3bf7ce18cf7

Link:

https://www.unpac.me/results/d1b02998-7a9d-47ca-9469-c574840f4dae/

SH256 hash:

d786174fae3afcd0cb7bd3dd78538791c9a3559f811d5281abede817d2f7bd98

MD5 hash:

7ef2385f0d1a29a9f24a2b13651a1efb

SHA1 hash:

ead481e5c33e51e5249149afe2f8c6b762d40be1

Link:

https://www.unpac.me/results/d1b02998-7a9d-47ca-9469-c574840f4dae/

SH256 hash:

6fc050014e658530f6515b1606245e2339e53657e8b5dd775946247597352982

MD5 hash:

024f4c1bd683aaad5a5c269d0da89ef1

SHA1 hash:

d5e348dee43ffc47f5540b8f2e9f0908d5e63e7c

Link:

https://www.unpac.me/results/d1b02998-7a9d-47ca-9469-c574840f4dae/

SH256 hash:

f5e762400621e75e4e7a1380fd2b3b63302daf48d66bed59383ce707582129ca

MD5 hash:

09509d60d44179573a18486c4503b654

SHA1 hash:

93a84dca2d2d96cc9fff9fb291cf5e8406a0193e

Link:

https://www.unpac.me/results/d1b02998-7a9d-47ca-9469-c574840f4dae/

SH256 hash:

1e4d6363e2e9d31e24a36caa382a431b365a0f31460b95f0fdd8892503dd1f93

MD5 hash:

61623521aee12d54c847a36fd9389915

SHA1 hash:

4dec6e630f557d17fc10b31d5b51e67e9f09b327

Link:

https://www.unpac.me/results/d1b02998-7a9d-47ca-9469-c574840f4dae/

SH256 hash:

8a7f0b699f755fd5f91ef8e4d6128d5ae01a8f04fd9ef25bf02a19a1d1f2797a

MD5 hash:

fb80ea89153550ecf315b61426c66ccc

SHA1 hash:

11d005dd590fe642a6b42121a7688d50bfac5888

Link:

https://www.unpac.me/results/d1b02998-7a9d-47ca-9469-c574840f4dae/

SH256 hash:

64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784

MD5 hash:

c8620b87b853cad801d8a3ac4ee294ef

SHA1 hash:

a22a3aac21d6d8fee0cfd54ef0da078f222eb2a1

Link:

https://www.unpac.me/results/d1b02998-7a9d-47ca-9469-c574840f4dae/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/257233/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample