MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605
SHA3-384 hash: aab6464f383605f774bec271ab3309737cd9f49af87f9b096b1fabf9f73d2f2fbcd9360791c8627d02cbcd2322789ab6
SHA1 hash: 304a1b55953b91822ee9b3eb4f8c6162eb39cf3e
MD5 hash: 7b3fad053f48326b3d69ce2ef83baf38
humanhash: pip-comet-vermont-oxygen
File name:64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605
Download: download sample
Signature NetSupport
Create hunting rule
File size:7'299'416 bytes
First seen:2021-08-05 09:15:24 UTC
Last seen:2021-08-05 10:01:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:ad/tGPPLAczgTTgvlHcQZyu2WyYGqGgujZ+FT+8LsOxtl:uULJcT0vlHtZyu2FLv5jtotl
Threatray 27 similar samples on MalwareBazaar
TLSH T1B776223FB268653ED8AF5B3245B39320997B7A60A80A8C5E07F0491DCF665702F3E715
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe Gavrilov Andrei Alekseevich NetSupport signed

Code Signing Certificate

Organisation:Gavrilov Andrei Alekseevich
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-07-09T00:00:00Z
Valid to:2024-07-08T23:59:59Z
Serial number: bdb99d5ecf8271d48e35f1039c2160ef
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: ddaa6ebc2929dc4c12c13d329ca2eb2559c35887e3bbb015b91c8aef12ed5531
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6571388943237120.zip
Verdict:
Malicious activity
Analysis date:
2020-11-20 13:48:35 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/1a453282-74b6-4200-8c72-10bbc41760e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176589/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e815913d-0a2d-46c4-a171-cdc88da0b411
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj.evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/827784
Signature
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460216 Sample: NENCruGXCs Startdate: 05/08/2021 Architecture: WINDOWS Score: 36 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 2 other signatures 2->62 8 NENCruGXCs.exe 2 2->8         started        11 null.exe 2->11         started        13 client32.exe 2->13         started        process3 file4 40 C:\Users\user\AppData\...40ENCruGXCs.tmp, PE32 8->40 dropped 15 NENCruGXCs.tmp 6 410 8->15         started        18 client32.exe 11->18         started        process5 file6 42 C:\Users\user\AppData\...\null.exe (copy), PE32 15->42 dropped 44 C:\Users\user\AppData\...\is-48RB1.tmp, PE32 15->44 dropped 46 C:\Users\user\AppData\...\null.exe (copy), PE32 15->46 dropped 48 16 other files (none is malicious) 15->48 dropped 20 null.exe 29 15->20         started        23 null.exe 13 15->23         started        25 ZCC.exe 2 15->25         started        process7 file8 32 C:\Users\user\AppData\...\remcmdstub.exe, PE32 20->32 dropped 34 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 20->34 dropped 36 C:\Users\user\AppData\...\msvcr100.dll, PE32 20->36 dropped 38 6 other files (none is malicious) 20->38 dropped 27 client32.exe 1 18 20->27         started        30 client32.exe 23->30         started        process9 dnsIp10 50 coinduck.duckdns.org 188.165.207.8, 1337, 49749 OVHFR France 27->50 52 geography.netsupportsoftware.com 62.172.138.35, 49750, 80 BTGB United Kingdom 27->52 54 2 other IPs or domains 27->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605/
Threat name:
Win32.Trojan.NetSup
Create hunting rule
Status:
Malicious
First seen:
2020-03-22 01:54:00 UTC
File Type:
PE (Exe)
Extracted files:
997
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mts3gjlj3hypqsklepto2rfq6wvv72ldbb2rz46awc635awyqycq._file
Verdict:
malicious
Similar samples:
01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9
NetSupport
07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
NetSupport
10fcf8da6000e34f9e8b8b173b6f8a65b6128e2422db510a52902648f51f9461
NetSupport
6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18
NetSupport
7879720cfa32665c40e8ffaaa0171ed47563698960d5885d20e0b6a7af8e08ff
NetSupport
7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1
NetSupport
9bb6f6446c4460f5cfc15f2c70bb6202caaf437553ce97b0c3ef196a582fca32
NetSupport
b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884
NetSupport
fd8d8b2d1513fe8e59d21e96e5f66695bbca33b6f4f9b1561136196db97b9bde
NetSupport
fe46c8f8924406e17a3e3a971abe4da511788e338ba438de9ac5a67c67335759
NetSupport
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210805-p9bt4s9v2s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c58c23e9a033b3e51ef3f0532d2a059c548f6a4dcbf784d1becf4473aab3de31
MD5 hash:
fd29a16b9d7b830d29b0b98a44e533c0
SHA1 hash:
e98abe8cd7711cb3687cf42c44a81150d2eed75b
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
df3c6f0e3d27a0cafca4737d8b83fe7e28af884daa2144cabb42084c5ecf4a4d
MD5 hash:
9cc8885b4b1962a8e7f461d1db04005f
SHA1 hash:
970c94c4fc6525f9d6b9f6dba3846ba654bdc385
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
725b45973382a7fc599eaee8c9eb294d032962c7809852bdec13daa5df90b4cd
MD5 hash:
5294b3139fb60c325957fc1dd663a494
SHA1 hash:
0af1a8b3652a7c973322c8b23c2598e462e13fa4
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
80e997f9f7a339c4446eedec5963da1fcd197e2001af7e7b217be933b5f75a7e
MD5 hash:
b47f69f6b7c8ef673e83ac515aaa8f10
SHA1 hash:
dc8f836dd5c8d9153d9d6a8cbffafc8cf5ae6590
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
a71596aa423b53be00643d03e4bba305991086dd0051e4c0ef6edc722bb166e2
MD5 hash:
5de33b1f8aa8178c1025381b573f2f3c
SHA1 hash:
a313484507865e81b94c2ffc652b1a116a64deac
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
a06f17cb0a8a74b2036d866440e23afd6b909178dd75599441b40aacc0693ad4
MD5 hash:
173651fcce024695efe1dcdc5a97c9c7
SHA1 hash:
28ff155ec85283e37fa84e8a6821f7d5b9f0df0a
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
815819d23e19132e2733739839b4e19e767b7c86f54679c1ea99a396e847527b
MD5 hash:
b41c015393d8fffe9bdc2a6dc078cedf
SHA1 hash:
27c152f9af4ca4158fd2b3ab762453e274f2fa59
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
b2df6694b07b1f81219e7e5c4bff2b5405e668de7b795bbd6ac34b4b890db37d
MD5 hash:
fafbc58b322ee8d1a39e9f5e11e405db
SHA1 hash:
99acd91c312e71577e75c96ce6108cdbb1abc36e
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
SH256 hash:
64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605
MD5 hash:
7b3fad053f48326b3d69ce2ef83baf38
SHA1 hash:
304a1b55953b91822ee9b3eb4f8c6162eb39cf3e
Link:
https://www.unpac.me/results/4386f12c-da09-411c-bf78-9e951454fa40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176589/

Comments