MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae
SHA3-384 hash: 0ee39dd688436895fb9ff0df224cb8bf2b117d9376e185bf13ea23299f43702401a582f39d01615b1e0c510b97f1948b
SHA1 hash: 190f21ef796aee07a2b4f906e7b2f7d915b18497
MD5 hash: f1c700707adffb52929de6dff72b2840
humanhash: william-equal-social-south
File name:nlg_ns.msi
Download: download sample
Signature NetSupport
Create hunting rule
File size:14'688'256 bytes
First seen:2024-01-29 16:09:49 UTC
Last seen:2024-01-29 17:32:38 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:shhhkmqs4WU7FaOO13cdK1J/9V91xg9idpE1Qhv4RF5HVwZJfYabpY78vAdt2yT:sfiY6pg1MKL9O1QhAr1VwZJf9jvAdP
Threatray 409 similar samples on MalwareBazaar
TLSH T138E62311A6878536D15D057BE59CEE1E0879BF73473102E377F93CAE48F18C2A2B9A42
TrID 77.3% (.MSI) Microsoft Windows Installer (454500/1/170)
10.3% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.5% (.MSP) Windows Installer Patch (44509/10/5)
3.3% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter rmceoin
Tags:msi NetSupport


Avatar
rmceoin
Found at 5.181.159.48/Downloads/nlg_ns.zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.Adware.Presenoker.7582.14600.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin remote shell32
Link:
https://www.filescan.io/uploads/65b7cde90eab2d16054928b7/reports/3a525d31-32ec-4a65-9944-8962abf4b6cd/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1382831
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Tries to detect sandboxes / dynamic malware analysis system (cursor check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1382831 Sample: nlg_ns.msi Startdate: 29/01/2024 Architecture: WINDOWS Score: 80 53 Multi AV Scanner detection for dropped file 2->53 55 Tries to steal Mail credentials (via file registry) 2->55 57 Contains functionality to register a low level keyboard hook 2->57 59 4 other signatures 2->59 8 msiexec.exe 29 46 2->8         started        11 bdisc.exe 7 2->11         started        13 bdisc.exe 7 2->13         started        15 msiexec.exe 2 2->15         started        process3 file4 43 C:\Windows\Installer\MSI1F66.tmp, PE32 8->43 dropped 45 C:\Windows\Installer\MSI1F17.tmp, PE32 8->45 dropped 47 C:\Windows\Installer\MSI1ED7.tmp, PE32 8->47 dropped 49 7 other malicious files 8->49 dropped 17 bdisc.exe 2 27 8->17         started        22 SrTasks.exe 2 8->22         started        24 msiexec.exe 8->24         started        process5 dnsIp6 51 109.226.63.127, 443, 49791, 49792 TRIPLEC-ASNIL Israel 17->51 35 C:35etSupport Manager\tcctl32.dll, PE32 17->35 dropped 37 C:37etSupport Manager\remcmdstub.exe, PE32 17->37 dropped 39 C:39etSupport Manager\pcicl32.dll, PE32 17->39 dropped 41 5 other files (3 malicious) 17->41 dropped 61 Found many strings related to Crypto-Wallets (likely being stolen) 17->61 63 Tries to harvest and steal browser information (history, passwords, etc) 17->63 65 Adds a directory exclusion to Windows Defender 17->65 26 cmd.exe 1 17->26         started        29 conhost.exe 22->29         started        file7 signatures8 process9 signatures10 67 Adds a directory exclusion to Windows Defender 26->67 31 powershell.exe 2 23 26->31         started        33 conhost.exe 26->33         started        process11
Score:
58%
Verdict:
Susipicious
File Type:
MSI
Link:
https://malprob.io/report/8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryjpywvilvuvh3ttcib6sromvtcn5vvivklvfrztdxgbpwsqd2xa._file
Verdict:
malicious
Similar samples:
154c606a6781addd71b108cdc62cf45cd1786ba7e7277105d71acedd86d565a5
NetSupport
440bd28a243962febc04beae9f1a0a315a3d21a5eb9f460d21ffff7856337b89
NetSupport
4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7
NetSupport
9f5feccfcce9d5a6af03e983c7fce6a38cf40fd0cfc518a612c696c572ba2fd5
NetSupport
b6d6745927be30ca12ba14142607f60cd5be98b7f6b124384cbc36dbcdf8c7de
NetSupport
c0a2b7fadd4a95724bde0514baca54dd68fb6aa14237df8bd65b7243e1f68b41
NetSupport
df5b822cfb367fb862dce788d16009b0299461c8543c5098009fb85dd2150170
NetSupport
f66e7a06caabe47c99707d0ccebc5626687bdd2b6fdb874f81ab363922702cdb
NetSupport
faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b
NetSupport
+ 399 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240129-tmcqqadff7/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Maps connected drives based on registry
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e12fc5aa85d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

zip 7609aeae15783c429d2f00fe6daaab012eeda05d4f627aa3529c048b2f87d826

NetSupport

Microsoft Software Installer (MSI) msi 8e12fc5aa85d6953ee731203e945ccacc4ded6a8aa9752c7331dcc17da501eae

(this sample)

  
Dropped by
SHA256 7609aeae15783c429d2f00fe6daaab012eeda05d4f627aa3529c048b2f87d826
  
Delivery method
Distributed via web download
  
Dropped by
MD5 1e1a375fe467c638c1e8390fc0887e34

Comments