MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef
SHA3-384 hash: 7ff14e9b6f821a359426327cee45cd52642dbba4716b8680ab05ca33feeeec8d4fcc918a394089ecfbd6311fa5487582
SHA1 hash: d9ccf012e7d06de46415f4d6152451842c1bdd9f
MD5 hash: fcfd7e25e415f1d9ee598ab41ca31840
humanhash: minnesota-leopard-timing-lion
File name:shdeulerinstall.lnk
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'394 bytes
First seen:2023-07-24 17:32:51 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8mN4OglPNTJjaMcK9rhW8pThAcWQCa+/CWzyKMgDB3Y7l7aWyImdab/2XT:8mNXglLofYCuKMgDB387aIuab2j
TLSH T13B219A141BF60706C6B68B3ABCE6B366D977BC09EA459B9E1690C3880815610F815F2F
Reporter rmceoin
Tags:FakeSG lnk


Avatar
rmceoin
Infection chain
compromised site
-->
google-analytiks.com/sBY76j
-->
esteticalocarno.com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
-->
http://185.252.179.64:80/Downloads/shdeulerinstall.lnk
-->
www.esteticalocarno.com/wp-content/uploads/2018/04/HHYGASDBBBX.hta
-->
NetSupport GatewayAddress conluase62.com:5051

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.32535.14843.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLook.20220523.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef/results/dashboard
Payload URLs
URL
File name
https://www.esteticalocarno.com/wp-content/uploads/2018/04/HHYGASDBBBX.hta')
LNK File
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Malicious
Labled as:
LNK/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef
Result
Verdict:
MALICIOUS
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278559
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell drops NetSupport RAT client
Suspicious command line found
Suspicious powershell command line found
Very long command line found
Windows shortcut file (LNK) starts blacklisted processes
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278559 Sample: shdeulerinstall.lnk Startdate: 24/07/2023 Architecture: WINDOWS Score: 100 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 10 other signatures 2->96 12 powershell.exe 11 2->12         started        15 powershell.exe 2->15         started        17 taskkill.exe 2->17         started        19 client32.exe 2->19         started        process3 signatures4 116 Suspicious powershell command line found 12->116 118 Very long command line found 12->118 120 Encrypted powershell cmdline option found 12->120 122 3 other signatures 12->122 21 mshta.exe 23 12->21         started        25 conhost.exe 1 12->25         started        27 client32.exe 15->27         started        29 conhost.exe 15->29         started        31 reg.exe 15->31         started        33 conhost.exe 17->33         started        process5 dnsIp6 76 esteticalocarno.com 217.160.0.218, 443, 49712, 49714 ONEANDONE-ASBrauerstrasse48DE Germany 21->76 78 www.esteticalocarno.com 21->78 104 Windows shortcut file (LNK) starts blacklisted processes 21->104 106 Suspicious powershell command line found 21->106 108 Very long command line found 21->108 35 powershell.exe 12 21->35         started        80 conluase62.com 94.158.247.27, 5051 MIVOCLOUDMD Moldova Republic of 27->80 82 geography.netsupportsoftware.com 62.172.138.67, 49717, 80 BTGB United Kingdom 27->82 84 geo.netsupportsoftware.com 27->84 signatures7 process8 signatures9 98 Windows shortcut file (LNK) starts blacklisted processes 35->98 100 Very long command line found 35->100 102 Suspicious command line found 35->102 38 cmd.exe 1 35->38         started        41 conhost.exe 35->41         started        process10 signatures11 110 Windows shortcut file (LNK) starts blacklisted processes 38->110 112 Suspicious powershell command line found 38->112 114 Very long command line found 38->114 43 powershell.exe 14 53 38->43         started        48 powershell.exe 15 38->48         started        50 conhost.exe 38->50         started        process12 dnsIp13 86 esteticalocarno.com 43->86 88 149677182.v2.pressablecdn.com 192.0.77.39, 443, 49713 AUTOMATTICUS United States 43->88 68 C:\Users\user\AppData\Roaming\client32.exe, PE32 43->68 dropped 70 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 43->70 dropped 72 C:\Users\user\AppData\...\client32.exe (copy), PE32 43->72 dropped 74 6 other files (5 malicious) 43->74 dropped 124 Windows shortcut file (LNK) starts blacklisted processes 43->124 126 Suspicious powershell command line found 43->126 128 Very long command line found 43->128 130 Encrypted powershell cmdline option found 43->130 52 powershell.exe 22 43->52         started        file14 signatures15 process16 file17 62 C:\Users\user\AppData\Local\Temp\CMSTP.inf, Windows 52->62 dropped 64 C:\Users\user\AppData\...\3ycyy5ei.cmdline, Unicode 52->64 dropped 55 csc.exe 3 52->55         started        58 cmstp.exe 52->58         started        process18 file19 66 C:\Users\user\AppData\Local\...\3ycyy5ei.dll, PE32 55->66 dropped 60 cvtres.exe 55->60         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-24 14:54:43 UTC
File Type:
Binary
AV detection:
8 of 25 (32.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqls4clzrpuckl5rrcd6ttjj4rzhtx4wigvvagc2n3vfb5gaf7xq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230724-v4t7rsgf3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://www.esteticalocarno.com/wp-content/uploads/2018/04/HHYGASDBBBX.hta
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84172e09798b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

NetSupport

6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31

NetSupport

Shortcut (lnk) lnk 84172e09798be8252fb18887e9cd29e47279df9641ab50185a6eea50f4c02fef

(this sample)

NetSupport

HTML Application (hta) hta 069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123

  
Link
https://infosec.exchange/@rmceoin/110769270597487875
  
Dropping
SHA256 069ac184f80baa3ced862d6704254d57990699bda965a9bcc2a89b2d8b61c123
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2688982/
  
Dropping
MD5 2aa4741c22f4f7e9f7fb2318e974649c
  
Dropped by
SHA256 6b11ce7c0306afb09c81991aa88969f585e0a53bb6249346395c55970b85ae31
  
Dropped by
MD5 3910fd66e7a8df6b635662838092c2bd

Comments