MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e2a9aa786472790251f23bed621b4ef1590dca4d7fe25c38b85976d35fbe435. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	9e2a9aa786472790251f23bed621b4ef1590dca4d7fe25c38b85976d35fbe435
SHA3-384 hash:	90646b3732cedaaa6ddc85cc0bd231b6d528d738906e1450b577deb76035d62f68869e0807fe729df9fc09fa54bee13d
SHA1 hash:	80904b3180521b62069147816fd8520f5e11e0a9
MD5 hash:	43f7e817f1cf54a4cdd8c720f5c70692
humanhash:	zulu-asparagus-delta-venus
File name:	file
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'783'936 bytes
First seen:	2023-01-16 19:58:44 UTC
Last seen:	2023-01-17 06:16:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bf8e93937f9e7494ce0335cf5d059356 (8 x NetSupport)
ssdeep	49152:ry5GOp+uzjqahKLbVdaPDrSDUX/DDDsN6qInMoyVaOHkJ5bzdaItOu2:ry5Gi+uzjqahKLbPODrSgbDgN6qInMdV
Threatray	197 similar samples on MalwareBazaar
TLSH	T161D501512D81D576E20136F0FA20F8F348DA7D23E4ACC78B86017F5B36FC66496C9A96
TrID	73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.6% (.SCR) Windows screen saver (13097/50/3) 2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	b216b22b69aa2b49 (1 x NetSupport)
Reporter	andretavare5
Tags:	exe NetSupport signed

Code Signing Certificate

Organisation:	AnyDesk
Issuer:	AnyDesk
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-12-24T00:00:00Z
Valid to:	2025-12-24T00:00:00Z
Serial number:	622e172be60175a0
Thumbprint Algorithm:	SHA256
Thumbprint:	36832a50f9dc976fe13987a968bde38d4f565f29fd63233871e1ba5ff7767764
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc139074685_654440782?hash=rlt4LfOzu14GsqxnmUtxDhq8TvDYSYdPLu0pxH8RIqw&dl=GEZTSMBXGQ3DQNI:1673898506:BmCvMuuOO06GncGQqmu7zrNJz8FVwVzwsm1yjN5J4lk&api=1&no_preview=1#any1

Intelligence

File Origin

# of uploads :

179

# of downloads :

263

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-16 20:01:05 UTC

Tags:

unwanted netsupport

Link:

https://app.any.run/tasks/772fee7d-ce7b-4583-afa9-059dfd2bafa3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/353536/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.5527.6438.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL

PUA.Win.Packer.Pseudosigner-36

PUA.Win.Packer.BorlandDelphiKo-1

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/60745/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63c5ac870089af3e437f81e2/reports/2cbb68c0-7670-4a70-aac5-64ea22c2d236/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetSupport Ltd

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/67d4d4c3-3a2b-42f4-887a-bed61ea8d3cf

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1152614

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9e2a9aa786472790251f23bed621b4ef1590dca4d7fe25c38b85976d35fbe435/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-01-16 19:59:19 UTC

File Type:

PE (Exe)

Extracted files:

461

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tyvjvj4gi4tzaji7eo7nminu54kzbxfe277clq4lqwlw2np34q2q._file

Verdict:

malicious

NetSupport

5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a

NetSupport

6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8

NetSupport

9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3

NetSupport

bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b

NetSupport

ccc6693d703b68b3bd0e697cbff8f1f59cb4b5aed29da770d8000f3dc61917c1

NetSupport

db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856

NetSupport

+ 187 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/230116-yqdjmsge91/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f47eb71f-17e2-4ba9-a254-9b9444132c4f

Unpacked files

SH256 hash:

67df868b103f9c5abbb8de466bd1ab6b39113f835a7db7c5cbc945268993fb58

MD5 hash:

80fc5c70bfc99b13ffb596a8feaa34b4

SHA1 hash:

fe430971de4b858df9d2611ebfd3935a5d0cc1b3

Link:

https://www.unpac.me/results/6f3e90dd-1ec0-45a3-a502-779d3569e8d2/

SH256 hash:

9dd994694200780c9c395c8fb08c6b6055c2107df52b23654c95e24c42fd57fa

MD5 hash:

723cab3bc70833a3e2a6d60573c0d34d

SHA1 hash:

bca468b3988930351b288bf41135b945c7da8597

Link:

https://www.unpac.me/results/6f3e90dd-1ec0-45a3-a502-779d3569e8d2/

SH256 hash:

91e5c92e2f1dad7d4199a24338a6acdd5b3fe7ba97bbf277163925dec22808a7

MD5 hash:

829c5979d510f4517b004872b531f737

SHA1 hash:

bb83b87f4fd9712ad281890c8a683056218da5cc

Link:

https://www.unpac.me/results/6f3e90dd-1ec0-45a3-a502-779d3569e8d2/

SH256 hash:

4dc9e3974f72fb2b479b189777069009ad96c9326c79906711e138e2beebe8fb

MD5 hash:

458bf92d49e25a0db596ff2cf396128e

SHA1 hash:

a161c4eccebad3456a883508560ecd2e6a8727bc

Link:

https://www.unpac.me/results/6f3e90dd-1ec0-45a3-a502-779d3569e8d2/

SH256 hash:

4e1b7609987dc7dcad3f358f6b0cd8ec44bbf9a369609f64e30555e8d3b54eb2

MD5 hash:

28ff65ffcefb5a393ba1138a061d1910

SHA1 hash:

6735c9c85cc8496e1e2fe7545175a2e19b2264fe

Link:

https://www.unpac.me/results/6f3e90dd-1ec0-45a3-a502-779d3569e8d2/

SH256 hash:

22746d3f8e403caefa83c541db87a681737dca4c4e0b8f216ebeeb12cd36103e

MD5 hash:

3735530dc065a6f91a9a4ad017da6e3f

SHA1 hash:

2356c84f3c5e342c9d3b2939fff881926e6745b0

Link:

https://www.unpac.me/results/6f3e90dd-1ec0-45a3-a502-779d3569e8d2/

SH256 hash:

9e2a9aa786472790251f23bed621b4ef1590dca4d7fe25c38b85976d35fbe435

MD5 hash:

43f7e817f1cf54a4cdd8c720f5c70692

SHA1 hash:

80904b3180521b62069147816fd8520f5e11e0a9

Link:

https://www.unpac.me/results/6f3e90dd-1ec0-45a3-a502-779d3569e8d2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NetSupportManager RAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9e2a9aa786472790251f23bed621b4ef1590dca4d7fe25c38b85976d35fbe435

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/353536/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample