MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345
SHA3-384 hash:	dbd553434a1015de7fb2274267ea3c95fb4fbe2c8aaa4954ac30668098eda5f885fb24efa020131ab05c6635382bfdf7
SHA1 hash:	02356f440a5d13768657fe233e48bf9f8c3b1f17
MD5 hash:	c0695c4f73a5a26beaaf5402c949f0be
humanhash:	river-florida-king-cup
File name:	c0695c4f73a5a26beaaf5402c949f0be.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'442'424 bytes
First seen:	2020-07-18 08:53:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:aAOcZRw2dKvDwG1O6Ux2hL8gnz95QFZy6J2fGoDA0yv/XTBe8dj5IFPgdC240bhc:gac7O6T9neJRAAnv/XTU8djSW40G6UmS
Threatray	250 similar samples on MalwareBazaar
TLSH	53B512036643C7BDD4720D3279ABF9E0E9E87A10DA344569AB822A3DB5F13B015F4E71
Reporter	abuse_ch
Tags:	exe NetSupport

Code Signing Certificate

Organisation:	Neoopt LLC
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Jul 14 00:00:00 2020 GMT
Valid to:	Jul 14 23:59:59 2021 GMT
Serial number:	2924785FD7990B2D510675176DAE2BED
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	ADBC44FDA783B5FA817F66147D911FB81A0E2032A1C1527D1B3ADBE55F9D682D
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

NetSupport C2:
ysanhumeg1.com:2071 (62.173.138.41)

Intelligence

File Origin

# of uploads :

1

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27677/

Detection(s):

PUA.Win.Adware.Browsefox-6628766-0

PUA.Win.Trojan.Generic-6629274-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Connection attempt to an infection source

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

42 / 100

Link:

https://www.joesandbox.com/analysis/388634

Signature

Delayed program exit found

Multi AV Scanner detection for submitted file

Yara detected Keylogger Generic

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2020-07-18 08:55:06 UTC

File Type:

PE (Exe)

Extracted files:

491

AV detection:

28 of 48 (58.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nayt2s2fzsii6va52wa5poor5dgk3s7savyuyewdnnmaqow2oncq._file

Verdict:

malicious

Similar samples:

10189128ff7ff4ae10111c65ca809615595304636a0d0e451ee34bf23ee900a2

1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4

1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923

1ca9978db84d8cad7f6a8f838e106799352c386cfa3aee2bbefa195e7fabe166

28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de

3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389

4d13350ebf3d38475a0a4a8c223fe6c06e00af3585eb499f60e29639b3944d3f

6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f

9d1f32d9806bafd63451a59e1768502f31cf9dc746c9e92f62b978c1ed259497

fba31181ed1957e81c452fa1e860414d3a2bd2da470074a32f196f873a37d9ad

+ 240 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/200718-hz5d76zzrs/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

JavaScript code in executable

JavaScript code in executable

Drops startup file

Loads dropped DLL

Drops startup file

Loads dropped DLL

Executes dropped EXE

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/414733/

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/27677/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample