MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3
SHA3-384 hash: c4a38697f294c82102941366faaaffcf188d71284269a04a02db46a88964801b21fea1456cc51717aae0859597564d03
SHA1 hash: 23048047f7fd4cbfa20269a89e9aa61ddc623815
MD5 hash: 922ddb400915ecc12148b5502b5b7748
humanhash: equal-iowa-wyoming-helium
File name:SecuriteInfo.com.Win32.PWSX-gen.10211.1601
Download: download sample
Signature NetSupport
Create hunting rule
File size:37'888 bytes
First seen:2024-09-21 11:31:38 UTC
Last seen:2024-09-25 10:59:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:84Uo92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7GNb9n:84U6ulPg6XO66WRqUZ
Threatray 601 similar samples on MalwareBazaar
TLSH T1BF03271229F9109DE177FEF56FD4A1DECA7DE6221607A86A0007430B1992EC28E5277F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:147-45-44-131 armayalitim-com armayalitim1722-com exe NetSupport

Intelligence

File Origin
# of uploads :
2
# of downloads :
371
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.10211.1601
Verdict:
Malicious activity
Analysis date:
2024-09-21 11:36:41 UTC
Tags:
loader netsupport unwanted remote
Link:
https://app.any.run/tasks/34ce6896-0510-413a-bbea-bd49961ee929

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10211.1601.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66eeaebd1db25d66857c6617
Tags:
Execution Generic Network Stealth Xpack
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
xpack
Link:
https://www.filescan.io/uploads/66eeaebb3c9389b729ba8cea/reports/1a3757c0-8882-4683-a535-8b7736136779/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0861fef7-a008-4d66-9748-e3ed16ca939f
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1514921
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Compiles code for process injection (via .Net compiler)
Contains functionalty to change the wallpaper
Delayed program exit found
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1514921 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 21/09/2024 Architecture: WINDOWS Score: 100 55 armayalitim.com 2->55 57 mlm-cdn.com 2->57 59 2 other IPs or domains 2->59 67 Multi AV Scanner detection for domain / URL 2->67 69 Suricata IDS alerts for network traffic 2->69 71 Antivirus detection for URL or domain 2->71 73 9 other signatures 2->73 9 SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe 15 10 2->9         started        14 client32.exe 2->14         started        signatures3 process4 dnsIp5 61 147.45.44.131, 49717, 80 FREE-NET-ASFREEnetEU Russian Federation 9->61 47 C:\Users\user\AppData\...\pkdiojoa.cmdline, Unicode 9->47 dropped 49 C:\Users\user\AppData\Local\...\pkdiojoa.0.cs, Unicode 9->49 dropped 51 SecuriteInfo.com.W....10211.1601.exe.log, CSV 9->51 dropped 83 Writes to foreign memory regions 9->83 85 Allocates memory in foreign processes 9->85 87 Compiles code for process injection (via .Net compiler) 9->87 89 Injects a PE file into a foreign processes 9->89 16 RegAsm.exe 48 9->16         started        20 RegAsm.exe 9->20         started        23 csc.exe 3 9->23         started        file6 signatures7 process8 dnsIp9 53 mlm-cdn.com 142.11.212.184, 443, 49718, 49719 HOSTWINDSUS United States 16->53 37 C:\Users\user\AppData\Local\...\wfapigp.dll, PE32 16->37 dropped 39 C:\Users\user\AppData\...\remcmdstub.exe, PE32 16->39 dropped 41 C:\Users\user\AppData\Local\...\pcicapi.dll, PE32 16->41 dropped 45 22 other files (7 malicious) 16->45 dropped 25 client32.exe 17 16->25         started        29 schtasks.exe 1 16->29         started        75 Found evasive API chain (may stop execution after checking mutex) 20->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 20->77 43 C:\Users\user\AppData\Local\...\pkdiojoa.dll, PE32 23->43 dropped 31 conhost.exe 23->31         started        33 cvtres.exe 1 23->33         started        file10 signatures11 process12 dnsIp13 63 armayalitim.com 37.1.209.225, 443, 49722, 49733 HVC-ASUS Ukraine 25->63 65 geo.netsupportsoftware.com 172.67.68.212, 49723, 80 CLOUDFLARENETUS United States 25->65 79 Contains functionalty to change the wallpaper 25->79 81 Delayed program exit found 25->81 35 conhost.exe 29->35         started        signatures14 process15
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-09-20 23:48:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=quhumtumb7byfwgfs7a4n46uztdujgaxnyrqfokmquhyenoglczq._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
36347ad88c3fd960152b88022381308c68b39dde29a1e2d471148cb01e76bb3c
NetSupport
8301d30f35705f82c85b56c51fc9f79f9071c3cb3e984b9c55aefe98b830cfc6
NetSupport
8ccff473270017f72b0910ea0404d670cc6c0ebee16977accc7cbcf137ba168b
NetSupport
a179d25f0ca4b9f6b7b1b7b4376664e422a6341650f80ba58626881638b64d50
NetSupport
b4d61c536730fbab0d2d81ec2f7bf8cdda541e4fd9200ddf50cf773c90c019c0
NetSupport
b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041
NetSupport
d88b08d7811ea62dcedcbd7f6e881c8a002ec1f30979d5a99d6d7b549fe8d2b4
NetSupport
+ 591 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/240921-nnapvszgkn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/26ebb57c-96c8-4958-b1b6-66bff2304309
Unpacked files
SH256 hash:
850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3
MD5 hash:
922ddb400915ecc12148b5502b5b7748
SHA1 hash:
23048047f7fd4cbfa20269a89e9aa61ddc623815
Link:
https://www.unpac.me/results/f38081dd-cbd6-4d60-a641-bef37ade9999/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/850f464e8c0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe 850f464e8c0fc382d8c597c1c6f3d4ccc74498176e2302b94c850f8235c658b3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3184164/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments