MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca
SHA3-384 hash:	8dcb1c76fb5722af0fdd63e60aadb4a42eae1e85ad7d1cbbb28237a4e793cbc0ff7c95910a1479e2512e62d8f2eceb53
SHA1 hash:	a9de727fae19a1c953bbe6cfb559906428f09e52
MD5 hash:	1a44217a97c294c528d5da09590e64e7
humanhash:	neptune-cold-carolina-pennsylvania
File name:	1A44217A97C294C528D5DA09590E64E7.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'072'096 bytes
First seen:	2021-06-16 18:16:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep	49152:KxcPjL9f3YkubCggt+k0F6eYClIKzEWHoimigmkV+:Kxcf9/YPbfrkI6e1VzEWHoiLgmkI
Threatray	81 similar samples on MalwareBazaar
TLSH	D3A533137AE2A0BBD953163368F86254D5BDFD317551EA86F302B90F3FB028A4961783
Reporter	abuse_ch
Tags:	Cloud Estates London Limited exe NetSupport

abuse_ch

NetSupport C2:
37.61.213.242:2549

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
37.61.213.242:2549	https://threatfox.abuse.ch/ioc/130859/

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1A44217A97C294C528D5DA09590E64E7.exe

Verdict:

Malicious activity

Analysis date:

2021-06-16 18:19:53 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/ed7a3893-c5e5-4061-9fd6-ae2f5825039e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.NetSupportManager-9853749-1

SecuriteInfo.com.FakeAV.ADRB.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Delayed reading of the file

Sending a UDP request

Creating a process from a recently created file

DNS request

Launching a process

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e6ef56c1-6265-4a9b-b1e9-d715ba1cf770

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/803266

Signature

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2021-06-13 14:14:48 UTC

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4xoxth3acu2jtar73ccglx7hsd7pbyndtxuyzd5gzeadsvyctfa._file

Verdict:

malicious

NetSupport

24d6774c1e91ab5d03b2bc857f8f35534acbc8f4ed8aaf802372588638100cb4

NetSupport

46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd

NetSupport

68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345

NetSupport

82732e47492148243ee3fb338c93d43b9a9984f39e3409327600cffc5766af1b

NetSupport

86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b

NetSupport

9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3

NetSupport

ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91

NetSupport

eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143

NetSupport

fe271b4266e4d1da6cd411a99f35ef14bba6e93354d43f4b790008d9222e0ba7

NetSupport

+ 71 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/210616-6hxcnpfchn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Unpacked files

SH256 hash:

2f7156ef8bb3eda4d82bf5152133f5b9547fbf31ff8106943c5911da2644d8a0

MD5 hash:

4f110b0c4842d762c1d3a5790bdc76c7

SHA1 hash:

b4120866efb0ec843f23231c3cced13220d9196c

Link:

https://www.unpac.me/results/05886503-1774-4c99-b8ba-e7ff501df316/

SH256 hash:

1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202

MD5 hash:

f525bd5dcec08be37a94d743d345be14

SHA1 hash:

ed1485111b370e0f75c004c5b253d3bf7ce18cf7

Link:

https://www.unpac.me/results/05886503-1774-4c99-b8ba-e7ff501df316/

SH256 hash:

69ae5fecaea31fc1685c31970e3ef779d842edb8d77dec591047aa83cefe9741

MD5 hash:

373655272b7b5bec4c138fad8a1af07f

SHA1 hash:

7546ea896562be6f82dfd53f239be5cd50215175

Link:

https://www.unpac.me/results/05886503-1774-4c99-b8ba-e7ff501df316/

SH256 hash:

de2bf0370d82f83bd4a8219937ef88c11e553cabfb13eab37e890978887cf01e

MD5 hash:

929135b7cb40bc82abda272646d1b247

SHA1 hash:

73ec0527aac1371245e2b7d329062db2b040658e

Link:

https://www.unpac.me/results/05886503-1774-4c99-b8ba-e7ff501df316/

SH256 hash:

1e4d6363e2e9d31e24a36caa382a431b365a0f31460b95f0fdd8892503dd1f93

MD5 hash:

61623521aee12d54c847a36fd9389915

SHA1 hash:

4dec6e630f557d17fc10b31d5b51e67e9f09b327

Link:

https://www.unpac.me/results/05886503-1774-4c99-b8ba-e7ff501df316/

SH256 hash:

d410a7bf723e005af3c49bca149a8777d10107f8b84e03fb22ec035a09b5aad8

MD5 hash:

da9031565c11eda9f8580a54ff43c503

SHA1 hash:

4357504dca7c2ddf3ece759bfce21833458dfba9

Link:

https://www.unpac.me/results/05886503-1774-4c99-b8ba-e7ff501df316/

SH256 hash:

672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca

MD5 hash:

1a44217a97c294c528d5da09590e64e7

SHA1 hash:

a9de727fae19a1c953bbe6cfb559906428f09e52

Link:

https://www.unpac.me/results/05886503-1774-4c99-b8ba-e7ff501df316/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample