MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70ee73260835cf8043fa9f1e2034b4477498ee760e3de2c77f89f25d1ab906e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70ee73260835cf8043fa9f1e2034b4477498ee760e3de2c77f89f25d1ab906e9
SHA3-384 hash: 8abda091e1c69f1978f80fc0670ffa105bc31221dbe4ac34989f3e92813d588ba83a96e705b8b4dad0e80f37ae24e788
SHA1 hash: 1a5a593ff5e08c558000292eba82b94df7ea5b58
MD5 hash: 0d955132ee0caa702e0927570494151e
humanhash: river-three-illinois-beryllium
File name:0d955132ee0caa702e0927570494151e.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:48'331 bytes
First seen:2021-12-20 21:47:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 768:T7ra/Tl+hs3E/jU0dugZ0T2Xtz+lHQW40Zz0D3jHUpi1Gou8pPHF2mNgbTD:G/T2X/jN2vxZz0DTHUpou8pPHl2D
Threatray 66 similar samples on MalwareBazaar
TLSH T107239D00B760D477D5B247322D3A6BBB9FFA94252564AF0703802E5D3DB3AC19A1F7A1
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
5.252.179.13:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.179.13:1203 https://threatfox.abuse.ch/ioc/278444/

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d955132ee0caa702e0927570494151e.exe
Verdict:
No threats detected
Analysis date:
2021-12-21 05:58:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f5a62c6-3c93-4d46-a309-ddb7b727c612

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215543/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.12681.9623.3020.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Connecting to a non-recommended domain
Creating a window
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Modifying a system file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Possible injection to a system process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2796/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61c0fa174ab5c44cbf4ab67d/reports/35865c35-5e2a-426e-95ed-88cf75d04bcf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b4f6a73c-fc73-4d0a-a336-52ecba4a7da5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910614
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543092 Sample: onYwrKS2DM.exe Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->97 99 Antivirus detection for URL or domain 2->99 101 Antivirus detection for dropped file 2->101 103 5 other signatures 2->103 8 msiexec.exe 98 63 2->8         started        11 onYwrKS2DM.exe 15 2->11         started        14 AdvancedWindowsManager.exe 1 2->14         started        16 5 other processes 2->16 process3 dnsIp4 61 C:\...\AdvancedWindowsManager.exe, PE32+ 8->61 dropped 63 C:\Windows\Installer\MSIC3BE.tmp, PE32 8->63 dropped 65 C:\Windows\Installer\MSIC033.tmp, PE32 8->65 dropped 73 21 other files (none is malicious) 8->73 dropped 18 msiexec.exe 3 8->18         started        22 msiexec.exe 1 59 8->22         started        25 msiexec.exe 14 8->25         started        83 www.tikto.pw 109.232.226.206, 49751, 80 GLOBALLAYERNL Netherlands 11->83 93 4 other IPs or domains 11->93 67 C:\Users\user\AppData\Local\...\installer.exe, PE32 11->67 dropped 69 C:\Users\user\AppData\Local\...\setup.exe, PE32 11->69 dropped 71 C:\Users\user\AppData\Local\...\nsisdl.dll, PE32 11->71 dropped 27 installer.exe 66 11->27         started        29 setup.exe 1 20 11->29         started        85 198.244.186.249, 39290, 49761 RIDLEYSD-NETUS United States 14->85 87 115.t.keepitpumpin.io 212.83.166.214, 49760, 8080 OnlineSASFR France 14->87 31 conhost.exe 14->31         started        89 198.244.186.244, 18462, 49792 RIDLEYSD-NETUS United States 16->89 91 110.t.keepitpumpin.io 163.172.204.15, 49796, 8080 OnlineSASFR United Kingdom 16->91 95 4 other IPs or domains 16->95 33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        37 3 other processes 16->37 file5 process6 dnsIp7 45 C:\Users\user\AppData\Local\Temp\shi866.tmp, PE32 18->45 dropped 47 C:\Users\user\AppData\Local\Temp\shi642.tmp, PE32 18->47 dropped 105 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->105 107 Opens network shares 18->107 75 pstbbk.com 157.230.96.32, 49784, 80 DIGITALOCEAN-ASNUS United States 22->75 77 collect.installeranalytics.com 34.196.43.38, 443, 49788, 49798 AMAZON-AESUS United States 22->77 49 C:\Users\user\AppData\Local\...\shi25E1.tmp, PE32 22->49 dropped 51 C:\Users\user\AppData\Local\...\shi2488.tmp, PE32 22->51 dropped 39 taskkill.exe 1 22->39         started        79 3.209.18.1, 443, 49870 AMAZON-AESUS United States 27->79 81 192.168.2.1 unknown unknown 27->81 53 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 27->53 dropped 55 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 27->55 dropped 57 C:\Users\user\AppData\...\Windows Updater.exe, PE32 27->57 dropped 59 4 other files (none is malicious) 27->59 dropped 109 Multi AV Scanner detection for dropped file 27->109 41 msiexec.exe 27->41         started        file8 signatures9 process10 process11 43 conhost.exe 39->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70ee73260835cf8043fa9f1e2034b4477498ee760e3de2c77f89f25d1ab906e9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-17 01:58:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odxhgjqigxhyaq72t4pcanfui52jr3twby66fr37rhzf2gvza3uq._file
Verdict:
malicious
Similar samples:
6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad
NetSupport
7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
NetSupport
80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42
NetSupport
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
NetSupport
d7480662bc7ee6dc38227ea381978553b1774774e4a0a70ea3bf6aebbca48622
NetSupport
df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc
NetSupport
e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c
NetSupport
e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2bdea925c9bdb6aa1f43
NetSupport
+ 56 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery evasion persistence rat trojan upx
Link:
https://tria.ge/reports/211220-1nrplabhb2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Drops startup file
Loads dropped DLL
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender notification settings
NetSupport
Unpacked files
SH256 hash:
419485a096bc7d95f872ed1b9b7b5c537231183d710363beee4d235bb79dbe04
MD5 hash:
ee68463fed225c5c98d800bdbd205598
SHA1 hash:
306364af624de3028e2078c4d8c234fa497bd723
Link:
https://www.unpac.me/results/6bb4a4e5-dd13-4433-a61e-0d9530cb1412/
SH256 hash:
70ee73260835cf8043fa9f1e2034b4477498ee760e3de2c77f89f25d1ab906e9
MD5 hash:
0d955132ee0caa702e0927570494151e
SHA1 hash:
1a5a593ff5e08c558000292eba82b94df7ea5b58
Link:
https://www.unpac.me/results/6bb4a4e5-dd13-4433-a61e-0d9530cb1412/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70ee73260835cf8043fa9f1e2034b4477498ee760e3de2c77f89f25d1ab906e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215543/

Comments