MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
SHA3-384 hash: b07b6d742db60e2b41b667cfd7aeacbd5606667cea972465169936d59a114f02cccd386ddd9b28cb02f04aa7fab42eb3
SHA1 hash: 7fc3b548b599eca588b54a5d78378be24ba4fc91
MD5 hash: 789598a08bc57fea514d9ffd8f072b71
humanhash: triple-mobile-three-lemon
File name:6a9677534228b1e25cb6b978f465b98c19b08844ea9b5.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'620'471 bytes
First seen:2022-09-09 13:30:19 UTC
Last seen:2022-10-18 10:03:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep 49152:ULoNjcFNMcbm0dwovfFYvx7WA+0b7Gsr04TSfZeU69PX8hm50gqdnLospa:ULiSyswWFmLGR9fAUo0gqdnLospa
Threatray 355 similar samples on MalwareBazaar
TLSH T11BC5E08ABC53DAF7CA9D9132346B08784C255C2A25A469705560FDC8FA3376CA3193FF
TrID 76.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f0796968f4d4d6d0 (1 x NetSupport)
Reporter abuse_ch
Tags:exe from netsupport smokeloader NetSupport ysanhumeg1-com


Avatar
abuse_ch
NetSupport C2:
140.82.15.232:2970

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
140.82.15.232:2970 https://threatfox.abuse.ch/ioc/848740/

Intelligence

File Origin
# of uploads :
3
# of downloads :
454
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
6a9677534228b1e25cb6b978f465b98c19b08844ea9b5.exe
Verdict:
Malicious activity
Analysis date:
2022-09-09 13:31:42 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/d1efef20-4677-49a2-928e-ad6eac5e9764

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308997/
Detection(s):
SecuriteInfo.com.FakeAV.ADRB.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Query of malicious DNS domain
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37213/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed remoteadmin shell32.dll virus
Link:
https://www.filescan.io/uploads/631b4095e73fb79b7a044bdb/reports/c6c9b2d9-0fdc-47d0-88d7-79ef40968ea0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parrot TDS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7318ad12-6a1e-4373-92a7-e83470f32324
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1067802
Signature
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-09-09 08:26:53 UTC
File Type:
PE (Exe)
Extracted files:
461
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nklhou2cfcy6exfwxf4piznzrqm3bcce5knvlhtvhd376rn3atea._file
Verdict:
malicious
Similar samples:
1104e75f6b1835efc9dd8454058d43b89fca854fb649fbb2716af104a00311b9
NetSupport
39f85df74587155e28ea24e89d30dff0686c1f849df32b0a08a8c9838b623731
NetSupport
46159df1dd676199e544ddeec7acbb73ded7e90796330390b7db4eb4dd274cbd
NetSupport
48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a
NetSupport
996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f
NetSupport
9dc68d85aa368791204ac6afba32756a20627cb557478ccaa56abb24f971ece3
NetSupport
b7e88d00739d77f482b500b254c222ae19171e68a5cd574eaee7b43f0cf79f1d
NetSupport
+ 345 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/220909-qsdcnagbh2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
9d18df025753b815c98d2686a33853f65647ad8a520e448d940dddb3801ecfb8
MD5 hash:
bcf7ccea10249f1dff0e1d4105c602fd
SHA1 hash:
8d7e204d55427367b9507b3f8932f2fed0caeb0b
Link:
https://www.unpac.me/results/e143a3ed-3df5-4e14-9b78-b16b70a0a802/
SH256 hash:
8be6a61c66ae94d1222535bddb7fe86a809de8ee64e21feea082bed683f16f42
MD5 hash:
137e85fe3e274795c31633f32beedd6d
SHA1 hash:
f1c665fc56e1f92e442406b561619a2d23b889f8
Link:
https://www.unpac.me/results/e143a3ed-3df5-4e14-9b78-b16b70a0a802/
SH256 hash:
a59d879aaf1f995f4f1a28f5dd8dcc9e505e5fc43363ba888b91b8402282e2d6
MD5 hash:
ab75722e1ef9b36e740456885a90fbd1
SHA1 hash:
ae479b1b39afe5c2226621030fdfbbbaf76339a0
Link:
https://www.unpac.me/results/e143a3ed-3df5-4e14-9b78-b16b70a0a802/
SH256 hash:
c14f52f2f2ff6849f62aec0d673a30b642ace947b87bac737b1042c2ca85e2a7
MD5 hash:
cd90644efd4ec4bf9d63bf7e5b374fb8
SHA1 hash:
56e23964cf6589eee766b003d04a8df8a0b085b9
Link:
https://www.unpac.me/results/e143a3ed-3df5-4e14-9b78-b16b70a0a802/
SH256 hash:
d58ddc5005fc9637b0b26799b26d992164946cc73ff2ab67e6dccf130f31a684
MD5 hash:
98932b2bfd997285e729966ae607aa9d
SHA1 hash:
357be565936d6bf2aab87adefc854681a983c0e5
Link:
https://www.unpac.me/results/e143a3ed-3df5-4e14-9b78-b16b70a0a802/
SH256 hash:
341d9018552c0bd34f45a35b4b9d0d44b9ceaa48fb1466f2ed126b765b97b8f6
MD5 hash:
4b2a2e6d1fb715e0f86e61606cb2b341
SHA1 hash:
1fe34428041ef09f265f2aaaff199c80bcd4412e
Link:
https://www.unpac.me/results/e143a3ed-3df5-4e14-9b78-b16b70a0a802/
SH256 hash:
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
MD5 hash:
789598a08bc57fea514d9ffd8f072b71
SHA1 hash:
7fc3b548b599eca588b54a5d78378be24ba4fc91
Link:
https://www.unpac.me/results/e143a3ed-3df5-4e14-9b78-b16b70a0a802/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308997/

Comments