MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6
SHA3-384 hash: 4676b33b10d49d8ddd2ffceec7c9146100383d504e80fe2a3561d34d826c48e04a0e132960eaf10a9bd8a7478eb1bdfb
SHA1 hash: f2cb5fef98dd61c96e79896bd9ee84f258f3e856
MD5 hash: ae63b342d6211f00ff9e256b1e2339b3
humanhash: snake-september-spring-wolfram
File name:ae63b342d6211f00ff9e256b1e2339b3.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'573'819 bytes
First seen:2023-03-27 22:55:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f4f257947c1b713ca7f9bc25f914039 (4 x NetSupport, 1 x AsyncRAT)
ssdeep 49152:xdoHdxkp92TMp2OSSyWi/TlV56nNeDyQ41Huw9If8DQtqKPi/VBK:id6Ugp24+6UyQ41uw9IkDUii
Threatray 87 similar samples on MalwareBazaar
TLSH T1D7C5CE2E7E0CC157E5D25533E85A03FB61B64C28DAD5A00B563E3F7BBBF15A001A2D26
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 0e8e2b178e8e9696 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
45.15.157.144:3010

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
ae63b342d6211f00ff9e256b1e2339b3.exe
Verdict:
Malicious activity
Analysis date:
2023-03-27 22:57:33 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/8d343324-ade8-4976-a699-ef5185f8a8c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377993/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Query of malicious DNS domain
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75287/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware netsupport overlay packed remoteadmin shell32.dll virus
Link:
https://www.filescan.io/uploads/64221f04f7dd2dc86f478e27/reports/ffae0db6-b4a8-44c0-879a-10a97390b524/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76b31040-d683-415c-949e-faa2e863f3dc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1203029
Signature
Found potential ransomware demand text
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtj655zgez6rqa32rghgl6njrktati35ntnhoyqbh6jwf32cjxla._file
Verdict:
malicious
Similar samples:
36347ad88c3fd960152b88022381308c68b39dde29a1e2d471148cb01e76bb3c
NetSupport
77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8
NetSupport
8301d30f35705f82c85b56c51fc9f79f9071c3cb3e984b9c55aefe98b830cfc6
NetSupport
8ccff473270017f72b0910ea0404d670cc6c0ebee16977accc7cbcf137ba168b
NetSupport
8f74c5871c33b4bf63b43f3e7e216dae1cc92e79cd0035422c8eb6768b98dc06
NetSupport
b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041
NetSupport
d88b08d7811ea62dcedcbd7f6e881c8a002ec1f30979d5a99d6d7b549fe8d2b4
NetSupport
+ 77 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230327-2wn44sff99/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
8739677ed5d6ee567d0cc9f69720de231f62c25e76c72c8a1c4946042056f042
MD5 hash:
6416c802fe04c642af6de893f81971ca
SHA1 hash:
ecc2776fb9f8d51410d89f615e7405be2222463e
Link:
https://www.unpac.me/results/f4cb0f13-3c07-4b63-a9a2-8c07f54c2d48/
SH256 hash:
0ed15632e63e0fcdd6cdb99fbaf96398c4ee4cb13efe08096f22fc34b6f3c091
MD5 hash:
cbe437f93f116137eca8a391b7608918
SHA1 hash:
ce7c476c2f864405941b458380a4c9516600ce61
Link:
https://www.unpac.me/results/f4cb0f13-3c07-4b63-a9a2-8c07f54c2d48/
SH256 hash:
3793ae901d012039f9d314305b185fcacf6f33f506575b58f6f9a910925b0ca7
MD5 hash:
95b30daf855a4d7dd71d4507e9a5fc06
SHA1 hash:
4ee66d6958beb2fca6a607a4e0361821ce57bb9f
Link:
https://www.unpac.me/results/f4cb0f13-3c07-4b63-a9a2-8c07f54c2d48/
SH256 hash:
6e720ea9eaf790bd3bfd0b9538116f859d075cb21372730b3b61c523cb223ab5
MD5 hash:
c1e217cbfdebbe6efda449483ed26184
SHA1 hash:
266fa8bfc609caa23cf9d58b83503bcacd605591
Link:
https://www.unpac.me/results/f4cb0f13-3c07-4b63-a9a2-8c07f54c2d48/
SH256 hash:
4a2579e26d10e4199b7d9710afc2495ef9ee624bc22a201971a615658defe4ab
MD5 hash:
f93a544221e6875d1cc1805fb28fbd9b
SHA1 hash:
1615cb06bcfd1232fb0809d0ccfd0ec735a28ce4
Link:
https://www.unpac.me/results/f4cb0f13-3c07-4b63-a9a2-8c07f54c2d48/
SH256 hash:
6c1ee07f1873a7aaa71e484cb6935684972ecead230089e9b93af8821daa12e9
MD5 hash:
912e86bf7d3d18edba8cf1a8c1ef4714
SHA1 hash:
c5164c893261613cd21e57ba877dab9920eb310b
Link:
https://www.unpac.me/results/f4cb0f13-3c07-4b63-a9a2-8c07f54c2d48/
SH256 hash:
64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6
MD5 hash:
ae63b342d6211f00ff9e256b1e2339b3
SHA1 hash:
f2cb5fef98dd61c96e79896bd9ee84f258f3e856
Link:
https://www.unpac.me/results/f4cb0f13-3c07-4b63-a9a2-8c07f54c2d48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377993/

Comments