MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3
SHA3-384 hash:	3e634fc6d261aed466595c87f51be228b8187536f0119522ceb3ddf34cbe9afce40fc80443a8e1c7ff35c4f44152fb2c
SHA1 hash:	ddcc9fc1405748fd70f338b120ddf2bb9ab07842
MD5 hash:	99da30924a57a91be613501a52cc4d30
humanhash:	mango-red-harry-yellow
File name:	99da30924a57a91be613501a52cc4d30.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'572'264 bytes
First seen:	2022-04-04 11:02:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf8e93937f9e7494ce0335cf5d059356 (8 x NetSupport)
ssdeep	49152:fyp4lo/YvcKNG491E7WB85g6uwZnrXF1KwEMWYZc8seX05TNvpkouhId9hxo1p1Z:fyL/YvcM9iaB8VuOnrXFoaZzXMUo7dlo
TLSH	T19CC53305A7D0EA70CD761A7009FF67A513347C229D78D607EB85B31F79B12220A6EF62
File icon (PE):
dhash icon	58585ada18fcc481 (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
162.33.178.122:5531

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
162.33.178.122:5531	https://threatfox.abuse.ch/ioc/488705/

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/260525/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL

PUA.Win.Packer.Pseudosigner-36

PUA.Win.Packer.BorlandDelphiKo-1

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP GET request

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12544/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed remoteadmin shell32.dll update.exe

Link:

https://www.filescan.io/uploads/624ad067aa7e43c6a6b62038/reports/965469f4-86af-4a3c-a064-fa2328604faa/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6cef7e1f-9450-4eab-914f-cf15c7a95c1a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/969945

Signature

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3/

Threat name:

Win32.Trojan.NetSup

Status:

Malicious

First seen:

2022-03-31 18:18:37 UTC

File Type:

PE (Exe)

Extracted files:

476

AV detection:

14 of 42 (33.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tj2gam2tsdftod4lnrxtllfucjcybikkr2bdcsmnbpaizdimmxjq._file

Verdict:

malicious

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/220404-m5nsdadgc7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Unpacked files

SH256 hash:

fa611c8967138f0266f62819f194256e8f7cc5fe3da34115ef13627ee4c72916

MD5 hash:

8aeee42d207975a538a9c3b1dc7d1bc7

SHA1 hash:

f6185146e001960b794825f3b90070d42dd9e035

Link:

https://www.unpac.me/results/31c9fc8d-eafc-4020-93aa-d2fcd520e961/

SH256 hash:

5455222fe97a7bed08f35cb6262ba2ea9548cdd6c5b3ed643efab942a7e3daa6

MD5 hash:

0dcf19419dc5aac45bd1e5a9815832ae

SHA1 hash:

e008c5f83767d6aa6619952f4e1b30ef6ac4b5b4

Link:

https://www.unpac.me/results/31c9fc8d-eafc-4020-93aa-d2fcd520e961/

SH256 hash:

147c821f9736428c6c9e317e25bef5b1354b82056794712a52f4b7ffa8fd7e9f

MD5 hash:

4d0dda630f4b1335911cf6027984f72f

SHA1 hash:

b76f3e08cad3f44b461efc08eb282a3f74626cef

Link:

https://www.unpac.me/results/31c9fc8d-eafc-4020-93aa-d2fcd520e961/

SH256 hash:

03691840de5682908dfc0f7535de303eb6dc8227c32178fd51206f60e711aff2

MD5 hash:

acddbf86d1b110cca725d1b05c993afe

SHA1 hash:

8efc64cda454fd1db4da6bfbcba005007c587d06

Link:

https://www.unpac.me/results/31c9fc8d-eafc-4020-93aa-d2fcd520e961/

SH256 hash:

3351f6169cb4050749ee10c9c71854b412878a66f3a9d2efed71b4026f0bcf99

MD5 hash:

158e0b4b1fc67fc06000aec7d327e4b8

SHA1 hash:

608cfb3749ca645a3e96f829fc40887df69d7576

Link:

https://www.unpac.me/results/31c9fc8d-eafc-4020-93aa-d2fcd520e961/

SH256 hash:

c14f52f2f2ff6849f62aec0d673a30b642ace947b87bac737b1042c2ca85e2a7

MD5 hash:

cd90644efd4ec4bf9d63bf7e5b374fb8

SHA1 hash:

56e23964cf6589eee766b003d04a8df8a0b085b9

Link:

https://www.unpac.me/results/31c9fc8d-eafc-4020-93aa-d2fcd520e961/

SH256 hash:

9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3

MD5 hash:

99da30924a57a91be613501a52cc4d30

SHA1 hash:

ddcc9fc1405748fd70f338b120ddf2bb9ab07842

Link:

https://www.unpac.me/results/31c9fc8d-eafc-4020-93aa-d2fcd520e961/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260525/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample