MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
SHA3-384 hash: b60fd7d519c0a0c017dd42d29fdcaff0743f7286930d9480640e8d9cf0b27ae24bd96bf92d17a453369b1ccc3c5add6a
SHA1 hash: 01873977c871d3346d795cf7e3888685de9f0b16
MD5 hash: eab603d12705752e3d268d86dff74ed4
humanhash: echo-ink-solar-golf
File name:TCCTL32.DLL
Download: download sample
Signature NetSupport
Create hunting rule
File size:396'664 bytes
First seen:2022-08-21 18:17:31 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2c4d798bb87ec57193b7625c4259da43 (1 x NetSupport)
ssdeep 12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
Threatray 25 similar samples on MalwareBazaar
TLSH T118849E20BA40C13AF1D61075C6BCDFBA7DADB470176851CB6BD509BA4F582E2E63834B
TrID 75.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.0% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter TheDFIRReportX
Tags:dll NetSupport signed

Code Signing Certificate

Organisation:NetSupport Ltd
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2016-01-12T00:00:00Z
Valid to:2017-09-21T23:59:59Z
Serial number: 2a7c96b4a761a9747606bd1056003d49
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7086610176dbbe170df29e0ee34bfb970322204d0060bef070c091415f105e32
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300052/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.17585.19372.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm greyware greyware overlay packed
Link:
https://www.filescan.io/uploads/63027717c7e5977f84e3ecad/reports/33d782e0-4b42-4675-9237-495e06afc04b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/557e0726-3e9f-48ec-b288-31df558e7183
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
27 / 100
Link:
https://www.joesandbox.com/analysis/1055122
Signature
Contains functionality to detect sleep reduction / modifications
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 687639 Sample: TCCTL32.DLL Startdate: 21/08/2022 Architecture: WINDOWS Score: 27 6 loaddll32.exe 1 2->6         started        process3 8 rundll32.exe 6->8         started        11 rundll32.exe 6->11         started        13 cmd.exe 1 6->13         started        15 6 other processes 6->15 signatures4 28 Contains functionality to detect sleep reduction / modifications 8->28 17 WerFault.exe 23 9 11->17         started        20 rundll32.exe 13->20         started        22 WerFault.exe 9 15->22         started        24 WerFault.exe 2 9 15->24         started        process5 dnsIp6 26 192.168.2.1 unknown unknown 17->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6k5oygopkkv35wc6wqgfyuwckhp3ogjbcii5wsnmzusngaei7va._file
Verdict:
unknown
Similar samples:
48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a
NetSupport
64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784
NetSupport
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
NetSupport
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220821-wxlgqachhl/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
MD5 hash:
eab603d12705752e3d268d86dff74ed4
SHA1 hash:
01873977c871d3346d795cf7e3888685de9f0b16
Link:
https://www.unpac.me/results/4872ab53-ec27-487a-9884-05f28ac9859f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.02
Link:
https://yomi.yoroi.company/submissions/6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

DLL dll 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/234345/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300052/

Comments