MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78340f48ddfebdb48ee1ef2d5fb0cfbe3f4f0977d4ee97ce9b21c06be6bf22f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78340f48ddfebdb48ee1ef2d5fb0cfbe3f4f0977d4ee97ce9b21c06be6bf22f7
SHA3-384 hash: 5df84fd72dccbbe09db6c287e0c2b4d18dd7f9f023766eabeb7a7449381482e7234de9b5946a0e684c6851af7f8da5a3
SHA1 hash: 2255afda282a6d0d323a626ca5bcc8b1e919b8aa
MD5 hash: e66d3a6a4e87aa8d4a42ecaa86222310
humanhash: carolina-diet-july-nitrogen
File name:E66D3A6A4E87AA8D4A42ECAA86222310.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'764'716 bytes
First seen:2021-06-21 13:10:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:t4nXubIQGyxbPV0db26Wy7qKnAsv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdOi:tqe3f6z5BSffPMWrQ0Zkl
TLSH A985B03FF268A53EC45E1B3245B39250997BBA60A81A8C1F07FC384DCF765601E3B656
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
5.252.179.111:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.179.111:1203 https://threatfox.abuse.ch/ioc/137861/

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E66D3A6A4E87AA8D4A42ECAA86222310.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-21 13:12:47 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e516d7e2-44cd-467a-a5b3-398b3c08cb8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167288/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Win.Dropper.NetSupportManager-9873726-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eee96890-8ffa-4d55-bd7f-21267dcef87e
Result
Threat name:
AZORult++
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/805324
Signature
Creates an undocumented autostart registry key
Detected AZORult++ Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Logon Scripts (UserInitMprLogonScript)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437735 Sample: Pxa4150NA5.exe Startdate: 21/06/2021 Architecture: WINDOWS Score: 52 162 Multi AV Scanner detection for submitted file 2->162 164 Machine Learning detection for sample 2->164 166 Sigma detected: Logon Scripts (UserInitMprLogonScript) 2->166 11 Pxa4150NA5.exe 2 2->11         started        14 msiexec.exe 2->14         started        17 msiexec.exe 2->17         started        20 8 other processes 2->20 process3 dnsIp4 100 C:\Users\user\AppData\...\Pxa4150NA5.tmp, PE32 11->100 dropped 22 Pxa4150NA5.tmp 3 24 11->22         started        102 C:\Users\user\AppData\Local\...\shi3EF3.tmp, PE32 14->102 dropped 104 C:\Users\user\AppData\Local\...\shi3E66.tmp, PE32 14->104 dropped 174 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->174 176 Opens network shares 14->176 126 157.230.96.32 DIGITALOCEAN-ASNUS United States 17->126 128 52.23.109.145 AMAZON-AESUS United States 17->128 106 C:\Users\user\AppData\Local\...\shi56B1.tmp, PE32 17->106 dropped 108 C:\Users\user\AppData\Local\...\shi5624.tmp, PE32 17->108 dropped 26 taskkill.exe 17->26         started        130 163.172.204.15 OnlineSASFR United Kingdom 20->130 132 212.83.141.61 OnlineSASFR France 20->132 134 8 other IPs or domains 20->134 28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        34 3 other processes 20->34 file5 signatures6 process7 dnsIp8 136 176.9.93.201 HETZNER-ASDE Germany 22->136 138 8.8.8.8 GOOGLEUS United States 22->138 140 4 other IPs or domains 22->140 92 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 22->92 dropped 94 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 22->94 dropped 96 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 22->96 dropped 98 2 other files (none is malicious) 22->98 dropped 36 setup_0.exe 2 22->36         started        39 setup_2.exe 22->39         started        41 conhost.exe 26->41         started        file9 process10 file11 82 C:\Users\user\AppData\Local\...\setup_0.tmp, PE32 36->82 dropped 43 setup_0.tmp 26 22 36->43         started        84 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 39->84 dropped 86 C:\Users\user\AppData\...\Windows Updater.exe, PE32 39->86 dropped 88 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 39->88 dropped 90 4 other files (none is malicious) 39->90 dropped 47 msiexec.exe 39->47         started        process12 file13 110 C:\Users\user\AppData\...\vdi_compiler.exe, PE32 43->110 dropped 112 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 43->112 dropped 114 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 43->114 dropped 116 6 other files (none is malicious) 43->116 dropped 172 Obfuscated command line found 43->172 49 vdi_compiler.exe 1 43->49         started        52 cmd.exe 1 43->52         started        54 cmd.exe 1 43->54         started        56 2 other processes 43->56 signatures14 process15 dnsIp16 152 Detected unpacking (changes PE section rights) 49->152 154 Detected AZORult++ Trojan 49->154 156 Detected unpacking (overwrites its own PE header) 49->156 59 cmd.exe 49->59         started        158 Uses ping.exe to sleep 52->158 160 Uses ping.exe to check the status of other devices and networks 52->160 62 expand.exe 24 52->62         started        65 conhost.exe 52->65         started        67 reg.exe 1 1 54->67         started        69 conhost.exe 54->69         started        142 5.252.179.111 MIVOCLOUDMD Moldova Republic of 56->142 144 195.171.92.116 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 56->144 71 iexplore.exe 56->71         started        73 conhost.exe 56->73         started        signatures17 process18 file19 168 Uses ping.exe to sleep 59->168 75 conhost.exe 59->75         started        77 PING.EXE 59->77         started        118 C:\...\e6c262dce4d68748a008f98a257e9e0d.tmp, PE32 62->118 dropped 120 C:\...\a11f79d0d0c2a74c8439865c023a143a.tmp, PE32 62->120 dropped 122 C:\...\9e8beceeef3e7c45a3c80f6ce5519259.tmp, PE32 62->122 dropped 124 5 other files (none is malicious) 62->124 dropped 170 Creates an undocumented autostart registry key 67->170 79 iexplore.exe 71->79         started        signatures20 process21 dnsIp22 146 131.253.33.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 79->146 148 20.190.159.138 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 79->148 150 3 other IPs or domains 79->150
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78340f48ddfebdb48ee1ef2d5fb0cfbe3f4f0977d4ee97ce9b21c06be6bf22f7/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 00:35:13 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pa2a6sg57263jdxb54wv7mgpxy7u6clx2txjptu3ehagxzv7el3q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210621-8ak5fae5re/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/4752aa15-e123-4177-a437-a570b527f663/
SH256 hash:
651d3a0f6b013b51f26836babb40817e5cd5ac8b25f4d9565d7509a9ba18b132
MD5 hash:
46d0535c72b14d3b5d7e9ed6501f635a
SHA1 hash:
a25440bcd7954bfd236a189b6efb54fc45d27810
Link:
https://www.unpac.me/results/4752aa15-e123-4177-a437-a570b527f663/
SH256 hash:
78340f48ddfebdb48ee1ef2d5fb0cfbe3f4f0977d4ee97ce9b21c06be6bf22f7
MD5 hash:
e66d3a6a4e87aa8d4a42ecaa86222310
SHA1 hash:
2255afda282a6d0d323a626ca5bcc8b1e919b8aa
Link:
https://www.unpac.me/results/4752aa15-e123-4177-a437-a570b527f663/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78340f48ddfebdb48ee1ef2d5fb0cfbe3f4f0977d4ee97ce9b21c06be6bf22f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167288/

Comments