MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c
SHA3-384 hash: a0afed531860ceb5d77862a9d2a54b0438d1a3d9d9d1c98ae4399c1f246e6ccf8368c29f72cdb13c6222ceaf718484cd
SHA1 hash: 8680641a985d92a5a91c5b55a03858577bc39be1
MD5 hash: 9292cd5fed975aad2bcb1cc73c4eefe0
humanhash: chicken-muppet-eighteen-uncle
File name:9292CD5FED975AAD2BCB1CC73C4EEFE0.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'829'181 bytes
First seen:2021-07-01 01:46:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 49152:WC2lJmXbj5DIwbQea1LPEyK7r385JD3d6cIWho:WzlkbFDVrQMyOr3S3d6cLho
Threatray 9 similar samples on MalwareBazaar
TLSH 66851203B293C072D49901B505658BB64F3A7C319775D0F7AFD13AAA9D703E29B3638A
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
5.252.179.60:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.179.60:1203 https://threatfox.abuse.ch/ioc/156602/

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9292CD5FED975AAD2BCB1CC73C4EEFE0.exe
Verdict:
No threats detected
Analysis date:
2021-07-01 01:47:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b631eda-0198-4808-98ed-740c373e4650

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169028/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/077252f9-6947-4059-aabf-caede836573a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/810286
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
May check the online IP address of the machine
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 442697 Sample: WesYhOA67u.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 52 140 wsgeoip.lavasoft.com 2->140 142 webcompanion.com 2->142 144 6 other IPs or domains 2->144 188 Antivirus detection for URL or domain 2->188 190 Antivirus / Scanner detection for submitted sample 2->190 192 Multi AV Scanner detection for submitted file 2->192 194 3 other signatures 2->194 13 WesYhOA67u.exe 4 2->13         started        16 svchost.exe 1 2->16         started        19 msiexec.exe 2->19         started        21 15 other processes 2->21 signatures3 process4 dnsIp5 110 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 13->110 dropped 112 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 13->112 dropped 24 irsetup.exe 15 13->24         started        180 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->180 182 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->182 184 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->184 114 C:\Users\user\AppData\Local\...\shiA6AA.tmp, PE32 19->114 dropped 116 C:\Users\user\AppData\Local\...\shiA61D.tmp, PE32 19->116 dropped 186 Opens network shares 19->186 150 104.248.255.188 DIGITALOCEAN-ASNUS United States 21->150 152 110.t.keepitpumpin.io 163.172.204.15 OnlineSASFR United Kingdom 21->152 154 15 other IPs or domains 21->154 118 C:\Users\user\AppData\Local\...\shiBDDC.tmp, PE32 21->118 dropped 120 C:\Users\user\AppData\Local\...\shiBD1F.tmp, PE32 21->120 dropped 28 taskkill.exe 21->28         started        30 drvinst.exe 21->30         started        32 drvinst.exe 21->32         started        34 6 other processes 21->34 file6 signatures7 process8 dnsIp9 168 1fichier.com 5.39.224.140, 443, 49734 DSTORAGEFR France 24->168 170 a-15.1fichier.com 5.39.224.15, 443, 49736 DSTORAGEFR France 24->170 172 pastebin.com 104.23.98.190, 443, 49733 CLOUDFLARENETUS United States 24->172 98 C:\Users\user\AppData\...\SetupB_343.exe, PE32 24->98 dropped 36 SetupB_343.exe 4 24->36         started        39 conhost.exe 28->39         started        100 C:\Windows\System32\...\SET17E4.tmp, PE32+ 30->100 dropped 102 C:\Windows\System32\drivers\SET4114.tmp, PE32+ 32->102 dropped file10 process11 file12 78 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 36->78 dropped 80 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 36->80 dropped 41 irsetup.exe 31 36->41         started        process13 dnsIp14 174 ip-api.com 208.95.112.1, 49741, 80 TUT-ASUS United States 41->174 176 www.findmemolite.com 46.101.214.246, 49745, 80 DIGITALOCEAN-ASNUS Netherlands 41->176 178 2 other IPs or domains 41->178 104 C:\Users\user\AppData\Local\...\maskvpn.exe, PE32 41->104 dropped 106 C:\Users\user\AppData\...\installerapp.exe, PE32 41->106 dropped 108 C:\Users\user\AppData\...\WcInstaller.exe, PE32 41->108 dropped 206 May check the online IP address of the machine 41->206 46 WcInstaller.exe 41->46         started        49 maskvpn.exe 2 41->49         started        51 installerapp.exe 66 41->51         started        file15 signatures16 process17 dnsIp18 122 C:\Users\user\...\WebCompanionInstaller.exe, PE32 46->122 dropped 124 C:\Users\...\WebCompanionInstaller.exe.config, XML 46->124 dropped 126 C:\...\WebCompanionInstaller.resources.dll, PE32 46->126 dropped 136 11 other files (none is malicious) 46->136 dropped 54 WebCompanionInstaller.exe 46->54         started        128 C:\Users\user\AppData\Local\...\maskvpn.tmp, PE32 49->128 dropped 59 maskvpn.tmp 49->59         started        146 52.23.109.145 AMAZON-AESUS United States 51->146 148 collect.installeranalytics.com 51->148 130 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 51->130 dropped 132 C:\Users\user\AppData\...\Windows Updater.exe, PE32 51->132 dropped 134 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 51->134 dropped 138 4 other files (none is malicious) 51->138 dropped 61 msiexec.exe 51->61         started        file19 process20 dnsIp21 156 wc-update-service.lavasoft.com 64.18.87.82 MTOCA Canada 54->156 158 flow.lavasoft.com 104.18.87.101 CLOUDFLARENETUS United States 54->158 160 wcdownloadercdn.lavasoft.com 54->160 82 C:\...\WebCompanion.resources.dll, PE32 54->82 dropped 84 C:\...\WebCompanionInstaller.resources.dll, PE32 54->84 dropped 86 C:\Program Files (x86)\...\SQLite.Interop.dll, PE32 54->86 dropped 94 66 other files (none is malicious) 54->94 dropped 196 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 54->196 198 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->198 200 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 54->200 202 Modifies Internet Explorer zone settings 54->202 162 91.219.62.87 YANINA-ASUA Ukraine 59->162 164 user.maskvpn.org 98.126.176.51 VPLSNETUS United States 59->164 166 2 other IPs or domains 59->166 88 C:\Users\user\AppData\...\libMaskVPN.dll, PE32 59->88 dropped 90 C:\Users\user\AppData\Local\...\botva2.dll, PE32 59->90 dropped 92 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 59->92 dropped 96 23 other files (none is malicious) 59->96 dropped 204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->204 63 cmd.exe 59->63         started        65 cmd.exe 59->65         started        file22 signatures23 process24 process25 67 tapinstall.exe 63->67         started        70 conhost.exe 63->70         started        72 conhost.exe 65->72         started        74 tapinstall.exe 65->74         started        file26 76 C:\Users\user\AppData\Local\...\SET1052.tmp, PE32+ 67->76 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 04:25:37 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojpyd3sgmnytadwugra3ynjdsce52uudxcbrde3jtmer7mvnskga._file
Verdict:
unknown
Similar samples:
0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2
NetSupport
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
NetSupport
3e5b7cb8978e88eb98d9079326d7c929eb12701f0040e6e2ec29fb5470022cf0
NetSupport
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
NetSupport
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
NetSupport
5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee
NetSupport
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
NetSupport
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
NetSupport
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
NetSupport
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210701-bhw8hp2wf6/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
0cf7d62aee643888b4e60aaea1c1ca2068789b46d3e0a0da3b67a221746d78df
MD5 hash:
5f3bb4c65f7c41000a9e5634bc61eed7
SHA1 hash:
e2eb3277422e0712094db2f13cae8fe9d3d80f54
Link:
https://www.unpac.me/results/2c6bd400-7618-470c-a8c6-fca8542802ec/
SH256 hash:
c3f051fdc89bba65156a1f0b0c6bcd9dd7950ff851ed8338e842ad1d89534c48
MD5 hash:
6e8174db90c85a6c871510c2ec49c3f9
SHA1 hash:
01d1ea3fceaae1eef1034e230c1924eba645a7ee
Link:
https://www.unpac.me/results/2c6bd400-7618-470c-a8c6-fca8542802ec/
SH256 hash:
725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c
MD5 hash:
9292cd5fed975aad2bcb1cc73c4eefe0
SHA1 hash:
8680641a985d92a5a91c5b55a03858577bc39be1
Link:
https://www.unpac.me/results/2c6bd400-7618-470c-a8c6-fca8542802ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169028/

Comments