MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
SHA3-384 hash: 7c97eb2dfaf6c8124dcd6f39b515954e83dcf30520be52354860cbbc9ae17e25da78eecec3f38c11df4d77bb15a911e4
SHA1 hash: 396b9f96219785f0c80c69703dc623c23554affc
MD5 hash: a3cea314d888a08b79002656a9f4b927
humanhash: hot-low-double-carbon
File name:file
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'283'788 bytes
First seen:2024-11-25 13:56:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 49152:kDjlabwz9F+H1Zf8NNbTfvaw2EheBgtpsDf5Log8nUQkFG534txeqJ:0qwPk1ZfWhvcEhQGa178UnFdJ
Threatray 727 similar samples on MalwareBazaar
TLSH T1CEB51209E3E909F5D0B7E53CCA668D02F77A7C5903309A8F23B0565A1F673A09E39761
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
15.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.9% (.EXE) Win64 Executable (generic) (10522/11/4)
1.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter Bitsight
Tags:45-61-128-74 exe NetSupport


Avatar
Bitsight
url: http://31.41.244.11/files/151334531/fqVBP7A.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
US US
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-25 13:57:01 UTC
Tags:
unwanted netsupport remote
Link:
https://app.any.run/tasks/f2d4c40e-26f0-4768-aaed-0a3f92c00e56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.RMS.153.10942.13342.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6744822fd0583382434b0aeb
Tags:
vmdetect netsup
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Running batch commands
Launching a process
Creating a process from a recently created file
Connection attempt
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Connection attempt to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm exploit fingerprint installer keylogger microsoft_visual_cc netsupport netsupportmanager overlay packed packed packed packer_detected remoteadmin sfx
Link:
https://www.filescan.io/uploads/6744823b408856bcc994d429/reports/466a84cf-8128-493e-bbdc-b8e7867db767/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d49bdba6-f371-4177-9ab6-b5755cad6fe3
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1562378
Signature
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562378 Sample: file.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 96 38 geo.netsupportsoftware.com 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 8 file.exe 1 17 2->8         started        11 shv.exe 2->11         started        13 shv.exe 2->13         started        15 shv.exe 2->15         started        signatures3 process4 file5 30 C:\Users\Public30etstat\shv.exe, PE32 8->30 dropped 32 C:\Users\Public32etstat\remcmdstub.exe, PE32 8->32 dropped 34 C:\Users\Public34etstat\pcicapi.dll, PE32 8->34 dropped 36 6 other files (3 malicious) 8->36 dropped 17 cmd.exe 1 8->17         started        process6 signatures7 44 Uses cmd line tools excessively to alter registry or file data 17->44 20 shv.exe 17 17->20         started        24 shv.exe 17->24         started        26 conhost.exe 17->26         started        28 4 other processes 17->28 process8 dnsIp9 40 45.61.128.74, 443, 49708 M247GB United States 20->40 42 geo.netsupportsoftware.com 104.26.0.231, 49709, 80 CLOUDFLARENETUS United States 20->42 54 Multi AV Scanner detection for dropped file 20->54 56 Contains functionalty to change the wallpaper 20->56 58 Delayed program exit found 20->58 60 Contains functionality to detect sleep reduction / modifications 20->60 signatures10
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a/
Threat name:
Win64.Trojan.NetSupport
Create hunting rule
Status:
Malicious
First seen:
2024-11-25 13:57:06 UTC
File Type:
PE+ (Exe)
Extracted files:
470
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mq2w422hqgjf56kanfoyngucnxbct2irsgp27bzj3dp3gtzr4yna._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
NetSupport
50c263fc02412062ca239e7419880678f797408a243d0a2140bc7bbb96a716c1
NetSupport
6a8f94da45c0b3b791bbfb71b2e9a7cc6bd5dd777da0655ebc3137ad4070c72f
NetSupport
bf2165a4bdafb0945c8b370758e6d0b9ab145147e7ddab448a01b3b25c2ad8a7
NetSupport
error
NetSupport
+ 717 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence rat
Link:
https://tria.ge/reports/241125-q8849szmbw/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
RemoteAccessTool
YARA:
n/a
Link:
https://app.threat.zone/submission/fd0685d5-31ca-4a7d-be0f-646a21f275d1
Unpacked files
SH256 hash:
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
MD5 hash:
dcde2248d19c778a41aa165866dd52d0
SHA1 hash:
7ec84be84fe23f0b0093b647538737e1f19ebb03
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash:
0e37fbfa79d349d672456923ec5fbbe3
SHA1 hash:
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
MD5 hash:
eab603d12705752e3d268d86dff74ed4
SHA1 hash:
01873977c871d3346d795cf7e3888685de9f0b16
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
MD5 hash:
00587238d16012152c2e951a087f2cc9
SHA1 hash:
c4e27a43075ce993ff6bb033360af386b2fc58ff
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
MD5 hash:
8d9709ff7d9c83bd376e01912c734f0a
SHA1 hash:
e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
MD5 hash:
a0b9388c5f18e27266a31f8c5765b263
SHA1 hash:
906f7e94f841d464d4da144f7c858fa2160e36db
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
26dbb528c270c812423c3359fc54d13c52d459cc0e8bc9b0d192725eda34e534
MD5 hash:
325b65f171513086438952a152a747c4
SHA1 hash:
a1d1c397902ff15c4929a03d582b09b35aa70fc0
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
00f57b9910630a7049df821a39c733ca35763d9b11a58e8c0e52b06066a52643
MD5 hash:
46eacdca48274cc56965e2f11cc63d66
SHA1 hash:
305429533557823d54f1cb1766d080b7249b6d99
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
SH256 hash:
64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
MD5 hash:
a3cea314d888a08b79002656a9f4b927
SHA1 hash:
396b9f96219785f0c80c69703dc623c23554affc
Link:
https://www.unpac.me/results/d8330c49-77b9-471e-af8f-d151dc990e11/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe 64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3304153/
  
URLhaus
https://urlhaus.abuse.ch/url/3305121/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments