MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 918df3483605d66cdd9a1abf3df845cffc2ed38436bfbe4b7f9b9eb748e1b573. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 918df3483605d66cdd9a1abf3df845cffc2ed38436bfbe4b7f9b9eb748e1b573
SHA3-384 hash: eaeb85b02bbc81d4d7c72f400cbe675e6e4067f84439ce2baf10083a916e18f2d1e0f990c594e5eb502df41116ac2ae9
SHA1 hash: f05e11dcc62727cabc8948b1da73ab5d24efb1ff
MD5 hash: 2c13cec20e08ff1564152af254da4cee
humanhash: cup-pasta-wolfram-ohio
File name:2c13cec20e08ff1564152af254da4cee.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:17'418'960 bytes
First seen:2023-05-31 05:40:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (260 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 196608:uY+ffboZh39AL4yV4Ksd1taqFOZvA87ZyAXX1v9bYMs9nVNNN7nYMvsrigt3p1kg:uoZrNo+1t7FQh7cAXXEV7RYqOgPHUb
TLSH T13B07333FF1A8A53ED96A063205B38650997BBB2079168C0E47FC354DCF729701E3BA56
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe NetSupport signed

Code Signing Certificate

Organisation:Rhynedahll Software LLC
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2023-05-04T16:42:25Z
Valid to:2024-05-03T16:42:25Z
Serial number: 651f3e5b491b197d20c49b9c7b25b775
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 0ee11d5917c486b7a57b7c3c566acec251170e98a577164f36b7d7d34f035499
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
NetSupport C2:
168.100.11.196:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
2c13cec20e08ff1564152af254da4cee.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 05:46:33 UTC
Tags:
installer netsupport unwanted
Link:
https://app.any.run/tasks/b75a6f14-a9ef-44f8-9ba2-08928cfef2d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the shell\open\command registry branches
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88761/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6476ddfce6cc9218e8eb6575/reports/7316d6e9-1881-4110-a4e9-bf9a50760e10/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/918df3483605d66cdd9a1abf3df845cffc2ed38436bfbe4b7f9b9eb748e1b573
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d3a5134-fe8e-4610-b365-8cfd5d365ffd
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/1245757
Signature
Adds a directory exclusion to Windows Defender
Obfuscated command line found
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878768 Sample: oCGxmva5iq.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 26 69 PE file has a writeable .text section 2->69 71 Adds a directory exclusion to Windows Defender 2->71 11 oCGxmva5iq.exe 2 2->11         started        15 koolmoves.exe 3 2->15         started        17 koolmoves.exe 3 2->17         started        process3 file4 55 C:\Users\user\AppData\...\oCGxmva5iq.tmp, PE32 11->55 dropped 75 Obfuscated command line found 11->75 19 oCGxmva5iq.tmp 3 13 11->19         started        signatures5 process6 file7 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->43 dropped 22 oCGxmva5iq.exe 2 19->22         started        process8 file9 45 C:\Users\user\AppData\...\oCGxmva5iq.tmp, PE32 22->45 dropped 73 Obfuscated command line found 22->73 26 oCGxmva5iq.tmp 6 70 22->26         started        signatures10 process11 file12 47 C:\Users\user\...\koolmoves.exe (copy), PE32 26->47 dropped 49 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->49 dropped 51 C:\Users\user\AppData\...\zlib1.dll (copy), PE32 26->51 dropped 53 22 other files (none is malicious) 26->53 dropped 29 koolmoves.exe 4 30 26->29         started        process13 file14 57 C:\Users\user\AppData\Local\...\tcctl32.dll, PE32 29->57 dropped 59 C:\Users\user\AppData\...\remcmdstub.exe, PE32 29->59 dropped 61 C:\Users\user\AppData\Local\...\pcicl32.dll, PE32 29->61 dropped 63 5 other files (4 malicious) 29->63 dropped 77 Adds a directory exclusion to Windows Defender 29->77 33 cmd.exe 1 29->33         started        36 client32.exe 4 29->36         started        signatures15 process16 dnsIp17 67 Adds a directory exclusion to Windows Defender 33->67 39 powershell.exe 20 33->39         started        41 conhost.exe 33->41         started        65 168.100.11.196, 443, 49705 CLOUD9US United States 36->65 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/918df3483605d66cdd9a1abf3df845cffc2ed38436bfbe4b7f9b9eb748e1b573/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-31 05:41:18 UTC
File Type:
PE (Exe)
Extracted files:
1978
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgg7gsbwaxlgzxm2dk7t36cfz76c5u4eg2734s37toploshbwvzq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230531-gdfpssda89/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
eb4ff6ed8e58274fc38ffe2ef3896dd47556138c9979404da9b102a78b95f873
MD5 hash:
4ae1cce84af7e887e31942161b76301a
SHA1 hash:
daf5e22b911c04f6063cf1e18e252583d8c28d1a
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
2b8ba52a905f6eceec88cad2b7c82f6e2b0834db1420d882ae3e7d3239b9552b
MD5 hash:
17e13f0e10ab9d9b4be8f239ce24e00f
SHA1 hash:
d57afc66d93a047a8d04a47346514b90231bfcd4
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
e1754c6c77c0109330cc078b9c101efc221345acaf49a0801428d449a10cf932
MD5 hash:
ec9501cbf04b8325dd5db532976200c1
SHA1 hash:
acf92837d9e60616ae9867a478a3a1ac66468381
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
af6b6381869e9786f6c2f742dc55aa48667a25ab7155ff762d006fede95a2e0b
MD5 hash:
a9389b061c9f09600203742aa07ddd0a
SHA1 hash:
558ae0e51c19d061a843eef80f34deb842c26a73
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
86227f2ec5856b3b3a0ca26f5a93ef204348eff34150208df5ee67bab4f3822d
MD5 hash:
9d19346ac875197414f22df1911b2c9b
SHA1 hash:
2c87ff315854e9c517f7fb4a4c15a73050ba633a
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
5cf6ac60abf9272e498cfcf8e1ba612f19603287b35bb466250c04d9d156aab0
MD5 hash:
65bc41aa968126176760e1f5936f7332
SHA1 hash:
0fe9adfd994fc6cf56512c697428108249b1047a
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
7528eb4f948b61e8001ea030d9b54341f6ca69ca328582cc1f6422f6640c377b
MD5 hash:
e6faaa78eb644504a7e7f0746d11c2c6
SHA1 hash:
0fd49e1d79592c860ed577a1c9bbd8eba8afa12b
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
4ce10d45ef197e6025404f83d85ba6e02d4a402e049396e5e3bbb9e2af57a9b9
MD5 hash:
dfb6fe072ffee12b9e781619eef78181
SHA1 hash:
ba19196b43bc2816476a59577bf3cc83cd95c8ec
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
69898db4edbc00567e15c7281e57858435b5f5d7b12c64ac04586c6265b9f582
MD5 hash:
488cbac037af929696271831085f01fb
SHA1 hash:
f8fa3a402995c871a18ba95cd2ce9a814a70910a
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
3bd0e9fd74c14059c8909bcfecf723a8b47fdfbe54e35f8becd9390b85ad6fe9
MD5 hash:
2a1cee302820a635af9d1e032b51ce60
SHA1 hash:
d8fac4726211ab8668b402183d4e51a636eeccfc
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
ed4cb81fa497d559916fc3e59ba08af40e654c77f837ddb79458eeb8a4be3080
MD5 hash:
fc738f9bf0564469ee175f946af1b608
SHA1 hash:
d2d01e487009c2c153d291a07540967f16464cff
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
b161126f37adc1119290c51783a28a8a9869aa5b1fac19d992b0a7b63a6e15ed
MD5 hash:
b415b94c7f23488e3d0b66cd9f37efd4
SHA1 hash:
aeade9c36e7d8422a857e06d66ce78f3149bef9f
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
1920c32347b9533e558b6d883c128e490ad0b9acc484f29ed101ab9fe09ff545
MD5 hash:
8e32347841cc2708fcc8dac7d406426f
SHA1 hash:
9f4f4ef0f4987712436545c58bf2e09527519612
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
fd606f97bdcc1d9748267bd11f85cafd74f1bf0da73206693558a446fa094119
MD5 hash:
98dc8a6be13b67499bab638447586cba
SHA1 hash:
6f53f3666210a4382fd2ea32672824fdbdde8667
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
c54f1aabc231f8fdfdaecd2c82c31cc9144fd595690ea8abc1ade0e34fd396a2
MD5 hash:
9a77261960f1ddff480de273d1e3d509
SHA1 hash:
1b0fe9afabf66a31e3681e0cb6de5e4214929f38
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
SH256 hash:
918df3483605d66cdd9a1abf3df845cffc2ed38436bfbe4b7f9b9eb748e1b573
MD5 hash:
2c13cec20e08ff1564152af254da4cee
SHA1 hash:
f05e11dcc62727cabc8948b1da73ab5d24efb1ff
Link:
https://www.unpac.me/results/af0d9656-4559-4e54-a919-11572d415ad0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/918df3483605d66cdd9a1abf3df845cffc2ed38436bfbe4b7f9b9eb748e1b573

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments