MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757
SHA3-384 hash: 91861838546142875f867c2c5db96087093a887f2c4f83fa45ca2b330c8db7fc2bc36de3bee94b113375bf2545fcdfcb
SHA1 hash: 1770246098ea07e2024dd31de0fba54916d7236b
MD5 hash: 20eb6b8655de71aad0ba6e71a045b1f6
humanhash: snake-dakota-failed-montana
File name:20EB6B8655DE71AAD0BA6E71A045B1F6.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'718'727 bytes
First seen:2021-08-07 16:35:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+mPQQSU9afXEDN50Qx8lMmD4gGovWhJLEx2BwDPw1V46hi5SC0DNdSM2SwMpt:pAI+M4UsuNxyvGoOnEx2BoQVlhi5S9OG
Threatray 249 similar samples on MalwareBazaar
TLSH T1C7C5233DB5825672C06107B58C4BE3F6F936BF042B7E54CBB6D91A198D2234227643EE
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
5.252.179.89:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.179.89:1203 https://threatfox.abuse.ch/ioc/166007/

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177172/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Launching a process
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Replacing files
Delayed writing of the file
Running batch commands
Searching for the window
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Launching a tool to kill processes
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04e80c4c-a3f5-4638-ac23-d96edd7bc216
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828654
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is protected by VMProtect
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461085 Sample: NTOyiLKfJP.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 136 Antivirus detection for URL or domain 2->136 138 Antivirus detection for dropped file 2->138 140 Multi AV Scanner detection for dropped file 2->140 142 14 other signatures 2->142 8 NTOyiLKfJP.exe 14 14 2->8         started        11 WinHoster.exe 2->11         started        process3 file4 60 C:\Program Files (x86)\...\note8876.exe, PE32 8->60 dropped 62 C:\Program Files (x86)\...behaviorgraphameBoxWin32.exe, PE32 8->62 dropped 64 C:\Program Files (x86)\...behaviorgraphameBox64bit.exe, PE32 8->64 dropped 66 4 other files (3 malicious) 8->66 dropped 13 GameBox.exe 15 8 8->13         started        17 GameBox64bit.exe 90 8->17         started        20 note8876.exe 8->20         started        22 3 other processes 8->22 process5 dnsIp6 116 104.21.92.87 CLOUDFLARENETUS United States 13->116 86 C:\Users\user\AppData\Roaming\6153898.exe, PE32 13->86 dropped 88 C:\Users\user\AppData\Roaming\4200126.exe, PE32 13->88 dropped 90 C:\Users\user\AppData\Roaming\5560667.exe, PE32 13->90 dropped 92 C:\Users\user\AppData\Roaming\4008142.exe, PE32 13->92 dropped 24 6153898.exe 13->24         started        28 4200126.exe 13->28         started        31 4008142.exe 13->31         started        33 5560667.exe 13->33         started        126 3 other IPs or domains 17->126 102 12 other files (none is malicious) 17->102 dropped 130 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->130 132 Tries to harvest and steal browser information (history, passwords, etc) 17->132 134 Tries to steal Crypto Currency Wallets 17->134 35 cmd.exe 17->35         started        118 88.99.66.31 HETZNER-ASDE Germany 20->118 120 186.2.171.3 DDOS-GUARDCORPBZ Belize 20->120 94 C:\Users\user\Documents\...\note8876.exe, PE32 20->94 dropped 122 208.95.112.1 TUT-ASUS United States 22->122 124 8.8.8.8 GOOGLEUS United States 22->124 128 2 other IPs or domains 22->128 96 C:\Users\user\AppData\...behaviorgraphameBoxWin32.tmp, PE32 22->96 dropped 98 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 22->98 dropped 100 C:\Users\user\AppData\...\aaa_v008[1].dll, DOS 22->100 dropped 37 GameBoxWin32.tmp 22->37         started        39 BotCheck.exe 5 22->39         started        41 conhost.exe 22->41         started        43 4 other processes 22->43 file7 signatures8 process9 dnsIp10 106 212.224.105.106 DE-FIRSTCOLOwwwfirst-colonetDE Germany 24->106 108 104.26.13.31 CLOUDFLARENETUS United States 24->108 144 Detected unpacking (changes PE section rights) 24->144 146 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->146 148 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->148 150 2 other signatures 24->150 45 conhost.exe 24->45         started        68 C:\Users\user\AppData\...\WinHoster.exe, PE32 28->68 dropped 47 WinHoster.exe 28->47         started        110 104.21.87.184 CLOUDFLARENETUS United States 31->110 84 7 other files (none is malicious) 31->84 dropped 49 WerFault.exe 31->49         started        52 conhost.exe 35->52         started        54 taskkill.exe 35->54         started        56 timeout.exe 35->56         started        112 194.163.135.248 NEXINTO-DE Germany 37->112 114 66.29.142.130 ADVANTAGECOMUS United States 37->114 70 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 37->70 dropped 72 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 37->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->74 dropped 76 C:\Users\user\AppData\Local\...\Daldoula.exe, PE32 37->76 dropped 78 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 39->78 dropped 80 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 39->80 dropped 82 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 39->82 dropped 58 conhost.exe 39->58         started        file11 signatures12 process13 dnsIp14 104 40.88.32.150 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 49->104
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 19:27:00 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbmthlyhluyq3w2fjm4zmqop3p4acra6knqn6dtrebgwhuvpy5lq._file
Verdict:
malicious
Similar samples:
06a2b3dae21085aa5cad1105ec7ae822e4e785c1adf314e3554d515474a322f4
NetSupport
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
NetSupport
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
NetSupport
52ac1e4535281dcbc751114fcd6cf12656d1754269bce5f24bfdae5be9640108
NetSupport
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
NetSupport
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
NetSupport
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
NetSupport
f70d4b4fc9941796d149798614345b8e8bf6e0c69022ac407cb8b03bf26fdc7c
NetSupport
+ 239 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:916 discovery evasion infostealer persistence spyware stealer suricata trojan upx vmprotect
Link:
https://tria.ge/reports/210807-dt6w7f2b36/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
0d5208729fb8fa69c4a68cc71be35834d1a5cc063a9f8bd01afe9a9abac0fdd7
MD5 hash:
36f22d8ada5e1a35ff728b4b357e96ca
SHA1 hash:
7eda09fd34ecdf2d62779427a0f91377f05f4973
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
e779d9d99999ccbbd9525eea88ed9427583d959253c208f862468f4983485431
MD5 hash:
eb1bc371731918ee35192736b2a687b1
SHA1 hash:
612fc81e12e616ddb68d99d849018cb942bbaded
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
302cc10929eed498323e0151f4dc3de451a8267d5ed1c453c2f17fff2087e45b
MD5 hash:
88a2d9dd01419f91ade660296577e943
SHA1 hash:
41cff8179b9313917eecf0e78f36a3e23497ffab
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
b28c3dc3f8c0b6fa48f300045e6c1f2218ffc6659159e14268ece9298bf589e7
MD5 hash:
64f0f2a889a7fda57baa59c9e1613424
SHA1 hash:
3e2798a955c19306c68c0b94242d929630c90d2d
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
b62e555795f4750059effcdbe8225aafb6386605e942f74a3b3381197a72d609
MD5 hash:
b685ae90c472bf08384a0f209541a497
SHA1 hash:
d12094f6ba6ebbbc610207b65b29813b221fd8e1
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
54382542e9076ae1e6759c8753d98f798f5e84c5bc3a809090c334acce509989
MD5 hash:
fb51cfd86f1963d6bd50dd4a16167f73
SHA1 hash:
574b7364422895f85d11d396fb195f3f0df18f4f
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
7e5d09b7cf9fee2a023d3b25bf2e76f23902c26174d886c6e9839c9ad0008b78
MD5 hash:
254ad9bde8e9786658684b98443fb5c7
SHA1 hash:
2d34a0207e89cb9344f6461cbba7a027ce6543f0
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
SH256 hash:
685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757
MD5 hash:
20eb6b8655de71aad0ba6e71a045b1f6
SHA1 hash:
1770246098ea07e2024dd31de0fba54916d7236b
Link:
https://www.unpac.me/results/18eb32ae-edb8-43b4-a73b-f49718bd602a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177172/

Comments