MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6
SHA3-384 hash: 3d401168a001c0d8f0aa4fe7411e14e65887642f1e492a4722536ed647743d12329e876f7a54e9c36c7cf001a62fa723
SHA1 hash: c6b5050e94a74fff077784b1b196abfea8941279
MD5 hash: 9eb55c2cccde975994c3c28f9dcbc593
humanhash: fruit-north-cola-north
File name:Purchase_supply_procurement.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'457'908 bytes
First seen:2023-08-17 15:33:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eaa732d4dae53340f9646bdd85dac41 (11 x NetSupport, 6 x RedLineStealer, 4 x ISRStealer)
ssdeep 49152:wBc3TTzfQLTmIXUrgjo5tSS9zQwr/xJ8tKO6ETgu6f:ko/LQL1XUr+o5tN9zQIxJ8Isgu6f
Threatray 608 similar samples on MalwareBazaar
TLSH T1DBB523B36DACC0F4F81F8CB44AAAB265D1A87CE56E7004857B303E5DF9316A1D626713
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon e4828602b22ab694 (27 x RedLineStealer, 8 x AgentTesla, 4 x MassLogger)
Reporter k3dg3___
Tags:exe NetSupport RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
US US
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
Purchase_supply_procurement.exe
Verdict:
Malicious activity
Analysis date:
2023-08-17 15:34:15 UTC
Tags:
unwanted netsupport remote
Link:
https://app.any.run/tasks/254286a4-9745-4b9d-b738-c92cb37ddb6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443233/
Detection(s):
Win.Trojan.Starter-287
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/103057/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm cmd control cscript evasive explorer fingerprint greyware keylogger lolbin lolbin masquerade netsupport overlay packed packed remote remoteadmin replace shdocvw shell32 virus wscript
Link:
https://www.filescan.io/uploads/64de3dafac089eb812398f8d/reports/b9358c3e-d932-4788-acd4-fb7dc63d20cf/overview
Verdict:
Malicious
Labled as:
Trojan/Malware
Link:
https://www.hybrid-analysis.com/sample/74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/45605c32-42b1-416a-a163-9fa664ca0381
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1292878
Signature
Antivirus detection for URL or domain
Contains functionality to modify clipboard data
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 14:49:32 UTC
File Type:
PE (Exe)
Extracted files:
471
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oszabjbwqnk5hn66mn5yggd4bcsmm4fjbmflmjgu57zcq5bezhta._file
Verdict:
malicious
Similar samples:
12cda2b4c69e83ff66a7e583597e6182cc95211c305829b586301906e6351949
NetSupport
23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb
NetSupport
5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a
NetSupport
c5abef1668afbaf378e02a420224ec01850559605143c17f5831b85afe136d5b
NetSupport
ccc6693d703b68b3bd0e697cbff8f1f59cb4b5aed29da770d8000f3dc61917c1
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
ffeeafbe114f78fcb04e240eb2d5b74d32ea0e271cea9334c59e18d3ac3257d6
NetSupport
+ 598 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230817-sy6x9sac74/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
9c50ca816acfab79bfad656a9295da2665f80f1d66402c396580b76e39e6bac3
MD5 hash:
f98afcd5b8d86d698a97ebdbc2c3b459
SHA1 hash:
e63622735767ce767811a884bca98048ceb20fab
Link:
https://www.unpac.me/results/993f0af5-855b-422a-9399-cf465eacd8e8/
SH256 hash:
fc8556900dd9583a376edf32b159594d70f996fa37767326d2fb4aea8f7330c6
MD5 hash:
1d13182dcfc79c8af83f6dc45603e923
SHA1 hash:
d9e7e3fc93ef0ce7de8cc338591d380d01c2dcf1
Link:
https://www.unpac.me/results/993f0af5-855b-422a-9399-cf465eacd8e8/
SH256 hash:
ac995717256f49bb848421f11640212222a03b301a4f583a0938ce927b0fa93c
MD5 hash:
c8c336f6ad76a309ff9eec4f27317a5e
SHA1 hash:
d3f3789be08d04687274a2c95e1e91cf5632ade5
Link:
https://www.unpac.me/results/993f0af5-855b-422a-9399-cf465eacd8e8/
SH256 hash:
8f45234f36b7adeccf6ae3ea3109f31d5c133ce8c471f625826e36a8500c10b1
MD5 hash:
5508ae985b6c135dffef51b15cbae89c
SHA1 hash:
86c847d12d3fd12623d8e4eb049c98cfe32f8ec8
Link:
https://www.unpac.me/results/993f0af5-855b-422a-9399-cf465eacd8e8/
SH256 hash:
1c5cfa5579e150dc37fa319dc80b007d22b245d933a5584fcc728b30a8fc0ca6
MD5 hash:
64cf442ebca4eca8536c9e57544889d4
SHA1 hash:
0a4ab03be01d261b4c60a766c032a29eda7a108d
Link:
https://www.unpac.me/results/993f0af5-855b-422a-9399-cf465eacd8e8/
SH256 hash:
99d48a145ab806e099b75729ee5f62f29bb7e3d067cfef4136f6945536e5ae95
MD5 hash:
0c8f21e20d7c03bbe98eba3e1245e3b1
SHA1 hash:
084d2221848f6ef17d5d95bf8e82ad54f870b2ce
Link:
https://www.unpac.me/results/993f0af5-855b-422a-9399-cf465eacd8e8/
SH256 hash:
74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6
MD5 hash:
9eb55c2cccde975994c3c28f9dcbc593
SHA1 hash:
c6b5050e94a74fff077784b1b196abfea8941279
Link:
https://www.unpac.me/results/993f0af5-855b-422a-9399-cf465eacd8e8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74b200a43683/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c6d7b4658c9bf04ed62616ac2cfae256e0516a632deb52b1e1ce9a868e91ad08

NetSupport

Executable exe 74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6

(this sample)

  
Dropped by
SHA256 c6d7b4658c9bf04ed62616ac2cfae256e0516a632deb52b1e1ce9a868e91ad08
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/443233/

Comments