MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1
SHA3-384 hash: 702d484d34d6a1a0549c508dc04d27e815327c8ca40000c890b388cd618d0e1394914443ab6376b72856bc400a6e0d4e
SHA1 hash: 355362876088aa1859bbd1ec9612c8722f3cdbd7
MD5 hash: 247e8d7c97da1778e87233b14e27d7b0
humanhash: mirror-diet-london-early
File name:7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'634'320 bytes
First seen:2021-08-05 08:00:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (866 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:QmYkk/dwG9dx8s/2gEY131oV0oAVSSH931:tYkWwGnx8C2zq31He
Threatray 850 similar samples on MalwareBazaar
TLSH T1C4F52249DF35A1D9E0895F7688226EA2383E7C3D5F7CD65822B3F7098172AC141217AF
dhash icon 69e9e969cccce871 (1 x NetSupport)
Reporter JAMESWT_WT
Tags:coinduck.duckdns.org exe Knassar DK ApS NetSupport signed

Code Signing Certificate

Organisation:GetScatter Ltd.
Issuer:DigiCert EV Code Signing CA (SHA2)
Algorithm:sha256WithRSAEncryption
Valid from:2019-07-01T00:00:00Z
Valid to:2022-07-06T12:00:00Z
Serial number: 016558f3759ab455d5497251c51ff8f6
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 484c210301f9f02e0836160d51d7a634dc177c5043adaf6d7a5dbc84e28ab7f1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1
Verdict:
Suspicious activity
Analysis date:
2021-08-05 08:02:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2651d1e9-ec84-4233-b181-b570523a95e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176568/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Creating a file
Deleting a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Query of malicious DNS domain
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f830075-e6fd-49cc-8903-1e8cb90c6066
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/827809
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 12:59:42 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjpsv7tsm5uabd4aqyfktexfnya4wye5nicranekkkayflsk3diq._file
Verdict:
malicious
Similar samples:
01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9
NetSupport
07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
NetSupport
458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253
NetSupport
6109fdc0254cdefc1462dc6a453ecce1cd70d8b533822d3a11be42604eb47a18
NetSupport
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
NetSupport
7879720cfa32665c40e8ffaaa0171ed47563698960d5885d20e0b6a7af8e08ff
NetSupport
978b4ac05a227b23ef7e4fadff92966339ba1413bac5a45e93f83a3064f8fd2f
NetSupport
9bb6f6446c4460f5cfc15f2c70bb6202caaf437553ce97b0c3ef196a582fca32
NetSupport
b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884
NetSupport
fe46c8f8924406e17a3e3a971abe4da511788e338ba438de9ac5a67c67335759
NetSupport
+ 840 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/210805-ntfv5hgr72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
0f83ce1f2649207ee8fc3a0dcf27765fe7ae5b9f708192545e25e1ab4ea2ba95
MD5 hash:
11c74753d375ba44e845bfecbfe88cd6
SHA1 hash:
5df09e6a5673ad6bf4835bdc2c1a5886fbc864ee
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
1cb51c88385ee2586a4af4551efa49d719e8b4efcab65e4e7f8d60d31aff869b
MD5 hash:
40db074b17a6f5415762fb9ae310e78a
SHA1 hash:
70ee0f8b1d274af06d398020da8208ee7f3720b7
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
f23ff00a8c33559a72ee569f4e6f96b99bac77a3ff4a3c92695aa25b501b0a67
MD5 hash:
d0cd25d0c7a03a844da34d5f16052edd
SHA1 hash:
be1ed0e3025340039409baee21d4f4018a2f1a9a
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
6211d8fef273e9383bf0119010606d7617d55807ee23d7ebd83b4a1c2acc9a3c
MD5 hash:
ab557a4c2d23438e3d768fd3a8c482d1
SHA1 hash:
ab091b9910a2571711174452b255874dccb3f5d8
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
835bd4b28a81b929dc34d1e7be71141944eb11f8b56bfceafb014a9cb424fb45
MD5 hash:
cbad541914550b6cbb29266703ed3815
SHA1 hash:
a56a72c667c68c99118009f0a9d03c77b9e47a5e
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
8fd6c1a1c2ddc843084c9469cd765edb88c6afd89a05a35e6a5882263052f104
MD5 hash:
8e29ab23c8efc5a28cdd7ba595911ae3
SHA1 hash:
7c0d0a055ceebf58e8b6f011551e9ce90578a1fc
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
30897caa1a4c9f651366ed2effa722377429085560c08a72d3d2078f908a29af
MD5 hash:
e0e086999af863df397d4f1409bdae6c
SHA1 hash:
2d72edd8a8941966995aa5e051319af93e973139
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
61a0eceea72b37b502693fe290d1deec455256128b2cd8734b71be7b10ca2525
MD5 hash:
7020cce0d8fc8b5b8c676186cb5a8f14
SHA1 hash:
23568202554e901b234941aaca9dfced80912ca8
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
SH256 hash:
7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1
MD5 hash:
247e8d7c97da1778e87233b14e27d7b0
SHA1 hash:
355362876088aa1859bbd1ec9612c8722f3cdbd7
Link:
https://www.unpac.me/results/e32b01c9-9a3c-484d-9744-11baa5a45401/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176568/

Comments