MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f
SHA3-384 hash: 752482ee6568e1168dc2d8188c437f018821e0741b055b4c67ff82c8ca82338c94709bd1dd3f44a55e281c571e6fb966
SHA1 hash: e472eda6d01c2ccbc43a5a1b446411698cb98506
MD5 hash: 8e8303890125fa304f80eda7359c04c9
humanhash: alpha-beryllium-network-queen
File name:8e8303890125fa304f80eda7359c04c9.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'007'392 bytes
First seen:2022-06-18 08:07:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb1eb5c3476069287a73206929932fd (27 x NetSupport, 1 x Retefe, 1 x ArkeiStealer)
ssdeep 49152:pmMXopFdrAskByVgEKEZv5zauP+Tx77KZbYj5IO3Tfl/:pmzndrAsQEnv53P+xyOjF
TLSH T1BA9533113FD230BBD5B553315DAB061165BDA86B29B9F30ED7A2272F3930A11DA4CB23
TrID 76.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b2f071ccc4c4e070 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
46.21.159.165:1032

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.21.159.165:1032 https://threatfox.abuse.ch/ioc/716214/

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcdn.discordapp.com%2Fattachments%2F984102262278332540%2F984102529715560458%2Fpei21053.exe&data=05%7C01%7Ccarlos.guzman2%40pmi.com%7C9db59e2959bf46b56b3f08da4e69acd9%7C8b86a65e3c3a44068ac319a6b5cc52bc%7C0%7C0%7C637908517165624309%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=TW4ARRDMB2yJjUc9d%2F1T1cr4Wwkqg%2Fs8BX6kAgroinY%3D&reserved=0
Verdict:
Malicious activity
Analysis date:
2022-06-15 18:05:14 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/4fcd928e-9b63-4cca-848f-827158a63722

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281113/
Detection(s):
SecuriteInfo.com.FakeAV.ADRB.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Query of malicious DNS domain
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21836/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
remoteadmin
Link:
https://www.filescan.io/uploads/62ad8820b0582adf05afc0ff/reports/ce515a8d-dff0-4797-9f34-babc9f31f9ad/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parrot TDS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c2e7344a-2b84-4723-b8e8-b9486310f801
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1015566
Signature
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-06-11 01:03:56 UTC
File Type:
PE (Exe)
Extracted files:
465
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfqajbj63lavsgbjjmmmzd3riwzoj4rq7a74sayuzastvhvto4xq._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/220618-j1jq3sabe9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
c184df06f8bcac94611d650f605bae24dc084931b54bcb0695924e368ada77c1
MD5 hash:
e21ab166b5bb3a910c4137694a0e82a0
SHA1 hash:
69bff32f6891f63ca2017e48132ca55939af9608
Link:
https://www.unpac.me/results/3a9546b0-112e-4dbb-9442-95107c3914eb/
SH256 hash:
489682916ef18fe39ffbaa43e8a72734a9e3df4ccd26da36f25ce6805c85f3d7
MD5 hash:
5a4c87b2946eb2d7e368658d9768ce90
SHA1 hash:
e5da89cba418073799cbaeda7cb44cf16692800d
Link:
https://www.unpac.me/results/3a9546b0-112e-4dbb-9442-95107c3914eb/
SH256 hash:
8bbcc5598904f49017e74ec90026b1f8dcac2c3944fde4aaa2efbbe861d9f0c6
MD5 hash:
104c39fe60354612ca83c91f4edba3cf
SHA1 hash:
a487883998a549fd430487729381697470a4672d
Link:
https://www.unpac.me/results/3a9546b0-112e-4dbb-9442-95107c3914eb/
SH256 hash:
c14f52f2f2ff6849f62aec0d673a30b642ace947b87bac737b1042c2ca85e2a7
MD5 hash:
cd90644efd4ec4bf9d63bf7e5b374fb8
SHA1 hash:
56e23964cf6589eee766b003d04a8df8a0b085b9
Link:
https://www.unpac.me/results/3a9546b0-112e-4dbb-9442-95107c3914eb/
SH256 hash:
0c3d3359a20a58a19bf1c9ad19f041ddb8c8f373ae3be2b243843640b1457d73
MD5 hash:
3fd2bc2c081e68949434bc33352a6ed0
SHA1 hash:
294771044b3d272fcbc55a7118f1ff0317b4460a
Link:
https://www.unpac.me/results/3a9546b0-112e-4dbb-9442-95107c3914eb/
SH256 hash:
c2311c2b16bf3d813471fbcc184ea68188b88bb01e6c1d309fb971689ee0e148
MD5 hash:
17ec0a43f384d70dbe2b571c27997854
SHA1 hash:
0aada20d97fdd44e51cce2f19e134fabe981255e
Link:
https://www.unpac.me/results/3a9546b0-112e-4dbb-9442-95107c3914eb/
SH256 hash:
996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f
MD5 hash:
8e8303890125fa304f80eda7359c04c9
SHA1 hash:
e472eda6d01c2ccbc43a5a1b446411698cb98506
Link:
https://www.unpac.me/results/3a9546b0-112e-4dbb-9442-95107c3914eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281113/

Comments