MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8387b1a4374853020ad43af4ed738bfd6538738c448b7b4fbc61b61da79ba4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 6


Intelligence 6 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8387b1a4374853020ad43af4ed738bfd6538738c448b7b4fbc61b61da79ba4
SHA3-384 hash: af90db10d27eb7137426b3d49f7f2d0667a5c538a3f291adcfbc8396eda6c85799746b06bc2d76de8ad3e8d307e9b81c
SHA1 hash: 61f8c43b0a90d549526009bd607b5c9f34d670ca
MD5 hash: d8491c2201483a1c75ff76fe08e17e2c
humanhash: pizza-april-venus-october
File name:2907.zip
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'260'050 bytes
First seen:2023-07-31 07:24:00 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:slLUXP5qRroZT5YNdzlIbnNsOF1FLbCN8UlVe5PWZ5FvcBU:slLUf5qRroGKsOnFLC8UbAP+UU
TLSH T1FCA533A1DB704363E83FA37D60BE95019F6C72AAA3DACB7D24540307714A8655FB8F42
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter JAMESWT_WT
Tags:NetSupport sambireact1-com sambireact2-com zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
IT IT
File Archive Information

This file archive contains 12 file(s), sorted by their relevance:

File name:nskbfltr.inf
File size:328 bytes
SHA256 hash: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash: 26e28c01461f7e65c402bdf09923d435
MIME type:application/x-setupscript
Signature NetSupport
File name:HTCTL32.DLL
File size:328'056 bytes
SHA256 hash: edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
MD5 hash: 2d3b207c8a48148296156e5725426c7f
MIME type:application/x-dosexec
Signature NetSupport
File name:TCCTL32.DLL
File size:396'664 bytes
SHA256 hash: 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
MD5 hash: eab603d12705752e3d268d86dff74ed4
MIME type:application/x-dosexec
Signature NetSupport
File name:client32.ini
File size:735 bytes
SHA256 hash: 95b753799e11ad4356df39d9d35c6474c46468eacc167f4f82ed175283d0e114
MD5 hash: 180d9311ec33da39d35de6acfe4cab3f
MIME type:text/plain
Signature NetSupport
File name:AudioCapture.dll
File size:93'560 bytes
SHA256 hash: a74612ae5234d1a8f1263545400668097f9eb6a01dfb8037bc61ca9cae82c5b8
MD5 hash: 4182f37b9ba1fa315268c669b5335dde
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICHEK.DLL
File size:18'808 bytes
SHA256 hash: 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
MD5 hash: a0b9388c5f18e27266a31f8c5765b263
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.lic
File size:259 bytes
SHA256 hash: a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e
MD5 hash: 3a88847f4bbf7199a2161ed963fe88ef
MIME type:text/plain
Signature NetSupport
File name:msvcr100.dll
File size:773'968 bytes
SHA256 hash: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash: 0e37fbfa79d349d672456923ec5fbbe3
MIME type:application/x-dosexec
Signature NetSupport
File name:pcicapi.dll
File size:33'144 bytes
SHA256 hash: 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
MD5 hash: dcde2248d19c778a41aa165866dd52d0
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICL32.DLL
File size:3'735'416 bytes
SHA256 hash: 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
MD5 hash: 00587238d16012152c2e951a087f2cc9
MIME type:application/x-dosexec
Signature NetSupport
File name:client32.exe
File size:101'680 bytes
SHA256 hash: 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
MD5 hash: f70b67c2b3204b7ddd8b755799cccff0
MIME type:application/x-dosexec
Signature NetSupport
File name:remcmdstub.exe
File size:59'792 bytes
SHA256 hash: e14c3224215ea91587e96b995861e8966166dfc08ab4d409bd729770815b3b81
MD5 hash: ba2a1815e16b357eeff23b8394457aa5
MIME type:application/x-dosexec
Signature NetSupport
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.26913.7397.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.23370.1523.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.3834.24092.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.867.3080.25044.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.17585.19372.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.6938.15409.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.864.18809.6384.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.11410.22550.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/64c7619b2e037e88653f25ad/reports/e3c6f2e9-331c-414c-a255-afb4c473a3a6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8d8387b1a4374853020ad43af4ed738bfd6538738c448b7b4fbc61b61da79ba4
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8d8387b1a4374853020ad43af4ed738bfd6538738c448b7b4fbc61b61da79ba4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d8387b1a4374853020ad43af4ed738bfd6538738c448b7b4fbc61b61da79ba4/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-31 07:25:06 UTC
File Type:
Binary (Archive)
Extracted files:
454
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwbypmneg5efgaqk2q5pj3ltrp6wkodtrrciw62pxrq3mhnhtosa._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230731-je8s3sdd29/
Behaviour
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NetSupportRAT_Config
Create hunting rule
Author:abuse.ch
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

zip 8d8387b1a4374853020ad43af4ed738bfd6538738c448b7b4fbc61b61da79ba4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2693412/
  
Delivery method
Distributed via web download

Comments