MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a60f3cfa331d387f6c6f704f97320d7743d28fa3499eae89422bba890036e2a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a60f3cfa331d387f6c6f704f97320d7743d28fa3499eae89422bba890036e2a1
SHA3-384 hash:	0c6c23b7c360c6cc04c5e8974630a12e9ec530ddfd72bef8b068f947ef0a045a75c8cd707e634d93f710b13101d70437
SHA1 hash:	74491144ce4fe8afa80a3ea68a7e639b0385a669
MD5 hash:	b608fe477d5b4a3b47a7a9295b45122f
humanhash:	apart-twenty-fourteen-dakota
File name:	b608fe477d5b4a3b47a7a9295b45122f.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'623'273 bytes
First seen:	2022-07-09 06:05:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf8e93937f9e7494ce0335cf5d059356 (8 x NetSupport)
ssdeep	49152:gywKNL4T1E7WB85g6uwZnLXF1KwEMWYZc8seX05TNvpkouhId9h1orp1JN:gywfTiaB8VuOnLXFoaZzXMUo7dxorp1T
Threatray	130 similar samples on MalwareBazaar
TLSH	T1EBC502E2B1F05EE8C866B8F4C7AB6CF711752F21070B911645BE3A4B9DBC291092B5CD
TrID	73.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 8.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.6% (.SCR) Windows screen saver (13101/52/3) 2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	707179e1f0d8c8f0 (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
185.31.160.74:1998

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.31.160.74:1998	https://threatfox.abuse.ch/ioc/821344/

Intelligence

File Origin

# of uploads :

# of downloads :

415

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/285754/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL

PUA.Win.Packer.Pseudosigner-36

PUA.Win.Packer.BorlandDelphiKo-1

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/24719/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

greyware netsupportmanager overlay packed remoteadmin shell32.dll virus

Link:

https://www.filescan.io/uploads/62c91acd98766731ae862076/reports/76019f05-3eb8-4a25-b4e6-15b99b13135e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Parrot TDS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d37d8916-7460-4cf7-bc79-30fd44d87125

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1027660

Signature

Delayed program exit found

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a60f3cfa331d387f6c6f704f97320d7743d28fa3499eae89422bba890036e2a1/

Threat name:

Win32.Trojan.NetSup

Status:

Malicious

First seen:

2022-04-06 01:05:34 UTC

File Type:

PE (Exe)

Extracted files:

461

AV detection:

10 of 26 (38.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uyhtz6rtdu4h63dpobhzomqno5b5fd5djgpk5ckcfo5isabw4kqq._file

Verdict:

malicious

NetSupport

64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784

NetSupport

996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f

NetSupport

9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3

NetSupport

b238491cbf41c1927953a5907b8e1782375602e5a6b62d32dc686fd8e866f421

NetSupport

+ 120 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/220709-gtqvpsehc4/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Unpacked files

SH256 hash:

d33c26af448227d3a832604c4d00edcabbddfa14241b1d349dd374514f6fa018

MD5 hash:

995dc9260cffa645319ae3acf20cb896

SHA1 hash:

fc3fad2c67c00d3efb98b64d14e4aec19e02a1df

Link:

https://www.unpac.me/results/ab6cc123-98b8-4046-b8b4-d7c40008eb00/

SH256 hash:

eb03b11a641e1aed68a12650c8e9d650ac7f03e7c56ac8c69a536eebaad8bcf8

MD5 hash:

381ab83f3453ad1011384c83b29fe986

SHA1 hash:

c4a7765760af9613f476aa980003037e172742d2

Link:

https://www.unpac.me/results/ab6cc123-98b8-4046-b8b4-d7c40008eb00/

SH256 hash:

e038c3c6865cec121f05d0e625f552f4d400d7194dee999bdb7c867cabe17318

MD5 hash:

37c89e878770cbf385be8c38943bcae6

SHA1 hash:

ab7c16ff8314eaaaf6f7dd0117906f5070309e27

Link:

https://www.unpac.me/results/ab6cc123-98b8-4046-b8b4-d7c40008eb00/

SH256 hash:

c14f52f2f2ff6849f62aec0d673a30b642ace947b87bac737b1042c2ca85e2a7

MD5 hash:

cd90644efd4ec4bf9d63bf7e5b374fb8

SHA1 hash:

56e23964cf6589eee766b003d04a8df8a0b085b9

Link:

https://www.unpac.me/results/ab6cc123-98b8-4046-b8b4-d7c40008eb00/

SH256 hash:

769399e0010f1eee5b02c76142bd91b00445a8452522dd2562e7efb9eee947a7

MD5 hash:

46cb2febaf05b8e6ccd3ec84e4e29790

SHA1 hash:

4d04a40b16d7fbafa0b4a8b6a440e57a4b184570

Link:

https://www.unpac.me/results/ab6cc123-98b8-4046-b8b4-d7c40008eb00/

SH256 hash:

054a84ca1c05f644eaf0e9ed7f73ac6952b841166eea1af936f30ce7f0e295a7

MD5 hash:

ea7911349017342570373a055e5e29fb

SHA1 hash:

10676d23d73e21d92ab88f46a221979f320a467c

Link:

https://www.unpac.me/results/ab6cc123-98b8-4046-b8b4-d7c40008eb00/

SH256 hash:

a60f3cfa331d387f6c6f704f97320d7743d28fa3499eae89422bba890036e2a1

MD5 hash:

b608fe477d5b4a3b47a7a9295b45122f

SHA1 hash:

74491144ce4fe8afa80a3ea68a7e639b0385a669

Link:

https://www.unpac.me/results/ab6cc123-98b8-4046-b8b4-d7c40008eb00/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a60f3cfa331d387f6c6f704f97320d7743d28fa3499eae89422bba890036e2a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/285754/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample