MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fe99e1ad9f91735ffecf032c4bc4f57a16a21f104a34442381b23b259fd9c9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	6fe99e1ad9f91735ffecf032c4bc4f57a16a21f104a34442381b23b259fd9c9c
SHA3-384 hash:	9a110ca6a608f86f7e2c069ba670863f9b5a6c81f32a66f153928ef5102720daad4bd83fd9fe28fcf6f0d91b91a0656b
SHA1 hash:	cdad65b7feebba5424833a18caddf1637f9144d3
MD5 hash:	bee80f46b4e751c29c4d329150245cb3
humanhash:	ack-pluto-robert-black
File name:	6FE99E1AD9F91735FFECF032C4BC4F57A16A21F104A34.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	4'356'920 bytes
First seen:	2022-04-03 00:10:46 UTC
Last seen:	2022-04-03 00:56:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep	98304:kSirmeIqavWz5SBCOrpRwN3Y/7UBTNFgK0vfjnr5:cUZrrIK/7URNW3jt
Threatray	323 similar samples on MalwareBazaar
TLSH	T10916023BB268613ED56E0B3245738360587BBE65A81A8C1F07F0790DCF365612F3BA56
File icon (PE):
dhash icon	00001a8e0f0b0008 (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
95.217.40.216:1488

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.217.40.216:1488	https://threatfox.abuse.ch/ioc/487372/

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

6fe99e1ad9f91735ffecf032c4bc4f57a16a21f104a34442381b23b259fd9c9c.zip

Verdict:

Malicious activity

Analysis date:

2022-04-03 08:02:42 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/c3f3269a-bed8-4281-9902-59bbc5ac1576

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

PUA.Win.Packer.Exe-6

SecuriteInfo.com.Trojan.Win32.ChePro.7c.30942.22727.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12418/overview

Behaviour

MalwareBazaar

CheckNumberOfProcessor

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe expand.exe overlay packed setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/6248e61f9253b276b7d227bb/reports/ed650661-862d-4313-a29b-552823e189ae/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fae51a97-8030-4932-bfc3-dcddbe7169c6

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

troj.evad

Score:

34 / 100

Link:

https://www.joesandbox.com/analysis/969482

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Obfuscated command line found

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fe99e1ad9f91735ffecf032c4bc4f57a16a21f104a34442381b23b259fd9c9c/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2022-02-08 18:37:33 UTC

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=n7uz4gwz7eltl77m6azmjpcpk6qwuiprasruiqrydmr3ewp5tsoa._file

Verdict:

unknown

NetSupport

48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a

NetSupport

49d0d2a3b58255fd7c36dacc34c5ef977187f2e1ecc8cfd4cf0e35c47824fa8b

NetSupport

595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470

NetSupport

64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784

NetSupport

be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502

NetSupport

+ 313 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220403-agla5agcdl/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

066c50c2a3a774d6a6275e206a1d9ace2429febb9ae2b86c7e25f07d057fa7ad

MD5 hash:

c200fa15186e226f244de77eb4d7862e

SHA1 hash:

b1b227b79d35d1c1c76b9f4a3579e69e09c3198f

Link:

https://www.unpac.me/results/629f7607-56ee-4732-b607-1495d2acedc7/

SH256 hash:

6fe99e1ad9f91735ffecf032c4bc4f57a16a21f104a34442381b23b259fd9c9c

MD5 hash:

bee80f46b4e751c29c4d329150245cb3

SHA1 hash:

cdad65b7feebba5424833a18caddf1637f9144d3

Link:

https://www.unpac.me/results/629f7607-56ee-4732-b607-1495d2acedc7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6fe99e1ad9f91735ffecf032c4bc4f57a16a21f104a34442381b23b259fd9c9c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260224/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample