MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b5632608c6187fe40fd1e93cea7a0326748b3079955cd9893bb2807b5424982. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b5632608c6187fe40fd1e93cea7a0326748b3079955cd9893bb2807b5424982
SHA3-384 hash: 4bd4f818e2a4ac4f02d81072b86a971e50245359a60b046c0d126bae2a7726c92514965f19e53ad86caa569c80fc9179
SHA1 hash: ea40f48158f4cc7924c9f40db34a22982b50392f
MD5 hash: 57c8d42bb07b1223cacf9dff71fca2c3
humanhash: xray-snake-alanine-eight
File name:57c8d42bb07b1223cacf9dff71fca2c3.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:172'032 bytes
First seen:2021-11-12 16:36:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1eb985407d404811ad25dcff76a8017 (1 x NetSupport, 1 x Smoke Loader)
ssdeep 3072:V7duMgsom0Fgg5wtuUKHSQd2AvjAmvCDFtRDpZa9uD6VdyhkO:rQsom0Fgg5yuU+SQd2EeFtlwVf
Threatray 5'355 similar samples on MalwareBazaar
TLSH T16BF3BE2077E1D876E1A22AF01474C7B15B3AFD3225714A0B3B58162E3EB33D48AB6753
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
50.18.71.252:12081

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
50.18.71.252:12081 https://threatfox.abuse.ch/ioc/247495/
144.202.123.191:49885 https://threatfox.abuse.ch/ioc/247496/
195.133.18.66:51391 https://threatfox.abuse.ch/ioc/247497/
95.168.174.42:42482 https://threatfox.abuse.ch/ioc/247498/
173.234.155.82:2909 https://threatfox.abuse.ch/ioc/247499/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205342/
Detection(s):
Win.Packed.Fragtor-9908420-0
Create hunting rule

Win.Packed.Fragtor-9908805-0
Create hunting rule

Win.Packed.Fragtor-9908933-0
Create hunting rule

Win.Packed.Generic-9908948-0
Create hunting rule

Win.Packed.Generic-9908949-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618e9835a00afa9663a54020/reports/76ff5585-f7db-4d2d-a617-3542703e1ce9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cff9337a-12fc-4376-bd78-67db15ed5389
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888261
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 520738 Sample: SF45gO3Bc8.exe Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 64 ttmirror.top 2->64 66 teletele.top 2->66 68 4 other IPs or domains 2->68 112 Antivirus detection for URL or domain 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 Yara detected SmokeLoader 2->116 118 7 other signatures 2->118 10 SF45gO3Bc8.exe 2->10         started        13 vcjsiee 2->13         started        15 vcjsiee 2->15         started        17 bfjsiee 2->17         started        signatures3 process4 signatures5 128 Contains functionality to inject code into remote processes 10->128 130 Injects a PE file into a foreign processes 10->130 19 SF45gO3Bc8.exe 10->19         started        22 vcjsiee 13->22         started        132 Multi AV Scanner detection for dropped file 15->132 134 Machine Learning detection for dropped file 15->134 24 vcjsiee 15->24         started        process6 signatures7 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->120 122 Maps a DLL or memory area into another process 19->122 124 Checks if the current machine is a virtual machine (disk enumeration) 19->124 26 explorer.exe 16 19->26 injected 126 Creates a thread in another existing process (thread injection) 22->126 process8 dnsIp9 78 216.128.137.31, 443, 49766, 49767 AS-CHOOPAUS United States 26->78 80 nusurtal4f.net 45.141.84.21, 80 MEDIALAND-ASRU Russian Federation 26->80 82 8 other IPs or domains 26->82 54 C:\Users\user\AppData\Roaming\vcjsiee, PE32 26->54 dropped 56 C:\Users\user\AppData\Roaming\bfjsiee, PE32 26->56 dropped 58 C:\Users\user\AppData\Local\Temp\63B4.exe, PE32 26->58 dropped 60 9 other malicious files 26->60 dropped 136 System process connects to network (likely due to code injection or exploit) 26->136 138 Benign windows process drops PE files 26->138 140 Deletes itself after installation 26->140 142 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->142 31 2BE9.exe 1 26->31         started        35 347F.exe 26->35         started        37 48CF.exe 2 26->37         started        40 6 other processes 26->40 file10 signatures11 process12 dnsIp13 62 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 31->62 dropped 86 Multi AV Scanner detection for dropped file 31->86 88 DLL reload attack detected 31->88 90 Detected unpacking (changes PE section rights) 31->90 106 5 other signatures 31->106 92 Query firmware table information (likely to detect VMs) 35->92 94 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->94 108 4 other signatures 35->108 42 AppLaunch.exe 35->42         started        70 45.9.20.149, 10844, 49866 DEDIPATH-LLCUS Russian Federation 37->70 96 Machine Learning detection for dropped file 37->96 110 2 other signatures 37->110 72 93.115.20.139, 28978, 49838 MVPShttpswwwmvpsnetEU Romania 40->72 74 162.159.130.233, 443, 49815 CLOUDFLARENETUS United States 40->74 76 cdn.discordapp.com 40->76 98 Antivirus detection for dropped file 40->98 100 Detected unpacking (overwrites its own PE header) 40->100 102 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->102 104 Sample uses process hollowing technique 40->104 44 2CDA.exe 40->44         started        47 52FC.exe 40->47         started        50 390A.exe 2 40->50         started        52 3 other processes 40->52 file14 signatures15 process16 dnsIp17 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->144 146 Maps a DLL or memory area into another process 44->146 148 Checks if the current machine is a virtual machine (disk enumeration) 44->148 150 Creates a thread in another existing process (thread injection) 44->150 84 telegin.top 47->84 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b5632608c6187fe40fd1e93cea7a0326748b3079955cd9893bb2807b5424982/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 16:37:06 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnldeyemmgd74qh5d2j45j5agjturmyhtfk43getxmuapnkcjgba._file
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
NetSupport
219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75
NetSupport
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
NetSupport
be032b655d9a935fbca887adfc5e478085b7d64c96720c57da870c2d463ed881
NetSupport
c37feba7ad29a50f566e779edd2c5514edcbd6e87909ca4d8e6d1f9727362d94
NetSupport
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
NetSupport
f4d185f32721b1c2da2dfdf291154a0c3927fea3e267a4f88f99a49d36ef149a
NetSupport
+ 5'345 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/211112-t4tessdha8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/83d1579d-ca46-49d7-b6f0-15681533e536/
SH256 hash:
6b5632608c6187fe40fd1e93cea7a0326748b3079955cd9893bb2807b5424982
MD5 hash:
57c8d42bb07b1223cacf9dff71fca2c3
SHA1 hash:
ea40f48158f4cc7924c9f40db34a22982b50392f
Link:
https://www.unpac.me/results/83d1579d-ca46-49d7-b6f0-15681533e536/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6b5632608c61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe 6b5632608c6187fe40fd1e93cea7a0326748b3079955cd9893bb2807b5424982

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755148/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205342/

Comments