MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c
SHA3-384 hash: a548fcc7a09e89a505b1a75a5cb02b95b3e7a5dfb13788ebe2895529dd293e1d4acf36cca1eb1dec6f1ee2d7f2db0d89
SHA1 hash: de94138ee8c7724089ef9faa80b8453c0b3986a3
MD5 hash: 2344df683dc8295da9e132d132083a26
humanhash: india-quebec-texas-lion
File name:2344df683dc8295da9e132d132083a26.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'426'256 bytes
First seen:2023-03-03 12:20:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eaa732d4dae53340f9646bdd85dac41 (11 x NetSupport, 6 x RedLineStealer, 4 x ISRStealer)
ssdeep 49152:5ypEkkYclR4EpZeJyKn20ZvtV4RuK52Z+bm9pg6tUywG6EjXpp/7:5vkJclR4oeJy2NNt+Jpbm9aOOOr/7
Threatray 443 similar samples on MalwareBazaar
TLSH T1AFB5EF521DA8D0A7E0D94F70CCF76EFA5C24EC79C1B40857D2403EFA3A32E526D5662A
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 96968e8e0f0f9696 (49 x GCleaner, 1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
82.115.223.134:3010

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
2344df683dc8295da9e132d132083a26.exe
Verdict:
Malicious activity
Analysis date:
2023-03-03 12:22:58 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/a99b3e7b-7cc8-4f49-84b7-4dc46a3984c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371366/
Detection(s):
SecuriteInfo.com.Generic.Starter.3.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm cmd.exe control.exe cscript.exe evasive explorer.exe fingerprint greyware hacktool keylogger overlay packed packed remoteadmin shdocvw.dll shell32.dll wscript.exe
Link:
https://www.filescan.io/uploads/6401e630bfec0852a68ec07f/reports/6722bad0-18d0-4be8-a0e5-59bd2ad74bfa/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22786b22-06fe-48e7-8734-4d875d260f74
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1186488
Signature
Antivirus detection for URL or domain
Found potential ransomware demand text
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 13:50:05 UTC
File Type:
PE (Exe)
Extracted files:
461
AV detection:
15 of 39 (38.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3ewub2ckw36scxjlv3syo4j4izitfmo5q3et3rgzjahdm7gn2oa._file
Verdict:
malicious
Similar samples:
15df432e0f75857dbdb8da921cfffeed71244a95650b9fe8da19219999662d65
NetSupport
1dc1c512bf8786c4cafd8c03835f96cccdd79e7e55b4a917b5527c52261cfbe8
NetSupport
47da94da37e3d742e3cd85e9746aa07752e9003fb7d63bb7d8bb6e0a0276d46b
NetSupport
4b47e10740c284c9a1617a0f25548c1e25f2fd25aebac939339b2dfb0c882502
NetSupport
8ccff473270017f72b0910ea0404d670cc6c0ebee16977accc7cbcf137ba168b
NetSupport
9a8a699900f94843189af50d9aa633419301f768a156031751278fa079add7a5
NetSupport
+ 433 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230303-pjbl2ahd69/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
fc8556900dd9583a376edf32b159594d70f996fa37767326d2fb4aea8f7330c6
MD5 hash:
1d13182dcfc79c8af83f6dc45603e923
SHA1 hash:
d9e7e3fc93ef0ce7de8cc338591d380d01c2dcf1
Link:
https://www.unpac.me/results/8a4ce8f6-9320-4cca-b7b3-29b1eadb19ab/
SH256 hash:
48dc72a1b4e3bec5c7df2c7cc89e97555174fd723b7487e8f9edea053d945914
MD5 hash:
1c6625ee551f3e578fdbe9e4dd15c233
SHA1 hash:
cf775de6ab75c86806f23c262e20eeeb2ccab27d
Link:
https://www.unpac.me/results/8a4ce8f6-9320-4cca-b7b3-29b1eadb19ab/
SH256 hash:
d680602ff7dbd357eecc0fb7f689b7aa6392310a0596ef627c6d2232efd58072
MD5 hash:
3194c79402b7c2350b889d0b8c860d06
SHA1 hash:
8ce063c53a02ebaa95c3dcb4f94da8eacecead33
Link:
https://www.unpac.me/results/8a4ce8f6-9320-4cca-b7b3-29b1eadb19ab/
SH256 hash:
26bdae27d7072b00ca6115707d1be63b9eaec5e12beb4b35d8596612e48ac292
MD5 hash:
f23472a9df439c4cf0d514c945bcbb66
SHA1 hash:
231b3a586fe20b7e49990f6d89db1e62f00cf8fc
Link:
https://www.unpac.me/results/8a4ce8f6-9320-4cca-b7b3-29b1eadb19ab/
SH256 hash:
63b5ac38d4613e522ae28924b4513a9ff15eb60e80182fd58f6db19d8994a4b9
MD5 hash:
e901b07ad6378e87c3a68067288f3944
SHA1 hash:
1aca2503600c5b53d795dbdf77cda30b34465e2d
Link:
https://www.unpac.me/results/8a4ce8f6-9320-4cca-b7b3-29b1eadb19ab/
SH256 hash:
aa97054a287edc23da97394f7fcb446e1cac119281d6ca5d331a73dbd31e6d46
MD5 hash:
9951183daaca74322f933737e040d98e
SHA1 hash:
06e58e13bff56c440f6d513c530e3b1d81615fbe
Link:
https://www.unpac.me/results/8a4ce8f6-9320-4cca-b7b3-29b1eadb19ab/
SH256 hash:
8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c
MD5 hash:
2344df683dc8295da9e132d132083a26
SHA1 hash:
de94138ee8c7724089ef9faa80b8453c0b3986a3
Link:
https://www.unpac.me/results/8a4ce8f6-9320-4cca-b7b3-29b1eadb19ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371366/

Comments