MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 676855ec417547222bff9b45b7ab109f0d58c4b2cc9b2ad00e0304f5915de1ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	676855ec417547222bff9b45b7ab109f0d58c4b2cc9b2ad00e0304f5915de1ec
SHA3-384 hash:	f9b42b618bdb3c1a263b540d0439eae05ae80b0a857ff9b541d2a3ad41f7b358afe461cab921bcdae078aa1ddb21d126
SHA1 hash:	ff5a1ac9601795b6f8101e2406bde0c51061f073
MD5 hash:	bda044fbf73297612ffb362d626e4214
humanhash:	uniform-network-missouri-eleven
File name:	BDA044FBF73297612FFB362D626E4214.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	3'139'955 bytes
First seen:	2021-08-03 17:36:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6aa9b2c4fb8d9d4659266d12b1aa5fc3 (2 x NetSupport)
ssdeep	49152:ZDESR4ctGua0qM8xTsr7VQNfnVLmLELJ6AXXe2dAayKlKvq/gZcE9hSzISQq+ttG:aSj4umMaQfUCLAXjdrgphScSH+t7dq
Threatray	48 similar samples on MalwareBazaar
TLSH	T1D4E53384CB44A816C0C6B3B72D39162346B0ADF7A4E9D60E254EA69B03356DDFFC817D
dhash icon	5c9c5cacc4e4dc44 (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
193.188.20.92:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.188.20.92:443	https://threatfox.abuse.ch/ioc/165610/

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BDA044FBF73297612FFB362D626E4214.exe

Verdict:

Malicious activity

Analysis date:

2021-08-03 17:39:52 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/17cc4327-261c-4ba6-9259-4fb40decccd6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176141/

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Dealply-6888374-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Delayed reading of the file

Creating a file in the %temp% subdirectories

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Searching for the window

Creating a file in the %AppData% directory

Connection attempt

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a UDP request

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Zeppelin Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16b6fc98-e5ef-4bb0-8aa1-a4627982190a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/826420

Signature

Drops PE files with a suspicious file extension

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/676855ec417547222bff9b45b7ab109f0d58c4b2cc9b2ad00e0304f5915de1ec/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2021-08-01 08:38:00 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m5ufl3cbovdsek77tnc3pkyqt4gvrrfszsnsvuaoamcplek54hwa._file

Verdict:

malicious

NetSupport

07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e

NetSupport

41e82e314fceb906d8618dbaa5d622cdea1b453ed74e3d358b5aafee0030490a

NetSupport

46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd

NetSupport

6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18

NetSupport

68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345

NetSupport

9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3

NetSupport

b7e88d00739d77f482b500b254c222ae19171e68a5cd574eaee7b43f0cf79f1d

NetSupport

fe271b4266e4d1da6cd411a99f35ef14bba6e93354d43f4b790008d9222e0ba7

NetSupport

+ 38 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat upx

Link:

https://tria.ge/reports/210803-dtfm7dl5tx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Unpacked files

SH256 hash:

a3c695df0c377708f5052c23c7910f01fa121a7d22e7fbe483619ee7cc5f5bc0

MD5 hash:

cd345a3e41bbb84d2c29e7e0910f3776

SHA1 hash:

0b1b0e4610f2957ea3cf11214e5d9d5755a7fe9f

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202

MD5 hash:

f525bd5dcec08be37a94d743d345be14

SHA1 hash:

ed1485111b370e0f75c004c5b253d3bf7ce18cf7

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

a713ed04107b25ef20a683ea4074c2363c29fa0dc5f4add764c49a0f151672dc

MD5 hash:

f1ecb8faec1b3dc3455f7592a2d025be

SHA1 hash:

e68ab463612ff78ee8795a2f0d0963d3d1917146

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

e08fe1199b46422cee7903267d877c4adc9cdb69f3b650e0706999e00676724b

MD5 hash:

c9268dcd876f223418fcac8906f6c7d8

SHA1 hash:

e27cc4aa17cdeb7210ba7c2d3031098dca7eda78

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

35f27d30e01774e65b278f9ae001458529853f42b8533fbc644fcb4f766bb3df

MD5 hash:

0176ebf7cdeec2c29cd1352a143d7fc6

SHA1 hash:

9bd58dc6c39f3a81e8df5c1b3c0860c0b6f212a7

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

a167255992033a4192f4b7a85ea4c777c26c05f624e01008b04e717850c65c6b

MD5 hash:

c47c1a3a891f4dfe86bc502b3d51dccb

SHA1 hash:

1dde2eddcf6e7d9dd0f8faffc891639940c18dc9

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

4be10875bd6c725a8df76468ff6783695cddbf00e3596c2f55336a645d21ee9b

MD5 hash:

4252b8bf60385861e7760c94f4c87b46

SHA1 hash:

03b90385b01e465d21c0570e329d52cd307160ab

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

1407c9e2af5b463086aae3b801c592f19e45c24e85f946b5564b123dd3f5ca89

MD5 hash:

cd335a5ba133b5977f41e34dc77d962a

SHA1 hash:

08ddfe54d9267b60d6c73710a43afec4b63df858

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

SH256 hash:

676855ec417547222bff9b45b7ab109f0d58c4b2cc9b2ad00e0304f5915de1ec

MD5 hash:

bda044fbf73297612ffb362d626e4214

SHA1 hash:

ff5a1ac9601795b6f8101e2406bde0c51061f073

Link:

https://www.unpac.me/results/21a1e0e1-3b97-4aef-8ed5-bdce0b102a54/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/676855ec417547222bff9b45b7ab109f0d58c4b2cc9b2ad00e0304f5915de1ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/176141/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample