MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adf3534c37d75d16fbefd668a7b0bc2a7797315e77b2a9bf4b985884b0cafbed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adf3534c37d75d16fbefd668a7b0bc2a7797315e77b2a9bf4b985884b0cafbed
SHA3-384 hash: de4141fa630579be51a7bb92de57356cb562600ec1511c5a2cbf3b5522575d86b8a39fddcbb27be15657036e309ea4db
SHA1 hash: a3242f9a3a14d2b0ae24c9a39034aa008389035a
MD5 hash: b2099aa6ad71ef482172f17f9f05f974
humanhash: vegan-comet-helium-india
File name:b2099aa6ad71ef482172f17f9f05f974.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'125'036 bytes
First seen:2023-01-03 22:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 49152:IBJH6RT0EkHbG+Jw6NbHHBp7k5hhelN6YawnqFKwgVR2:yJwAwYt5ShAiYawBwT
TLSH T1CDA5230279C6C9B2C573187A4A786B11B93DBE302F29CDEB6784561ECE319C1E734792
TrID 84.3% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
5.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.3% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
95.216.253.73:5531

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
b2099aa6ad71ef482172f17f9f05f974.exe
Verdict:
Malicious activity
Analysis date:
2023-01-03 22:22:07 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/bd79f6b4-d0dd-4533-bdbd-947634490b1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetSupport
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349260/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63b4aa4f40e878e304227ab7/reports/148b5177-2bde-40c7-b068-8e33001e865e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5ea9d563-a11d-4a58-90ba-fb4872b431c7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1144821
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adf3534c37d75d16fbefd668a7b0bc2a7797315e77b2a9bf4b985884b0cafbed/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 00:12:12 UTC
File Type:
PE (Exe)
Extracted files:
470
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxzvgtbx25orn67p2zukpmf4fj3zomk6o6zktp2ltbmijmgk7pwq._file
Verdict:
malicious
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230103-19mmrsgd4z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ca7f756-638e-4837-b70f-5f8e9ab87af5
Unpacked files
SH256 hash:
f40a8b6f6a9aa1f50aac643ec21f21b0cef8dc4d0a3c17baf0e4fabae6803f83
MD5 hash:
e4b58ea3520f07a5e3f557db6b6005f3
SHA1 hash:
0c82bebc43a62cf762f97b2311f0a42541c0372d
Link:
https://www.unpac.me/results/84d94435-f933-4e99-ad8b-e49551970a7c/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/84d94435-f933-4e99-ad8b-e49551970a7c/
SH256 hash:
64fdcc8f7d999afb325ca5fcd2fcfc7117e667163e0193ad412ae479297bddb1
MD5 hash:
b2a119252bc0c91f15ad1e40c48bc69a
SHA1 hash:
450aedbb3b1987feff3f81d62126b4c09489be2c
Link:
https://www.unpac.me/results/84d94435-f933-4e99-ad8b-e49551970a7c/
SH256 hash:
7548507318cf9aeb49203a487650691f0d968e11430b0db734e0724b6378a177
MD5 hash:
60489d8492a825da41158637b23380e3
SHA1 hash:
369443fdbd9b3a3ebcd5e619d59c09ef29275233
Link:
https://www.unpac.me/results/84d94435-f933-4e99-ad8b-e49551970a7c/
SH256 hash:
4d26b016931750b06e8e129225c5e455f5d262f7683394d6b37d2548ebf04e08
MD5 hash:
29be678256458ea79b06fd11e0b68768
SHA1 hash:
30e30457a447f8456b46afed7481db7645062d2b
Link:
https://www.unpac.me/results/84d94435-f933-4e99-ad8b-e49551970a7c/
SH256 hash:
01956b7c1fdef594bd0c88b31ba29f6d6602102f0eb88ed47496635528a3a5e9
MD5 hash:
cb65b10a910af360104272ae1d17bdad
SHA1 hash:
0a46e13839942d89255b75ddcf2ffbd187831dbb
Link:
https://www.unpac.me/results/84d94435-f933-4e99-ad8b-e49551970a7c/
SH256 hash:
adf3534c37d75d16fbefd668a7b0bc2a7797315e77b2a9bf4b985884b0cafbed
MD5 hash:
b2099aa6ad71ef482172f17f9f05f974
SHA1 hash:
a3242f9a3a14d2b0ae24c9a39034aa008389035a
Link:
https://www.unpac.me/results/84d94435-f933-4e99-ad8b-e49551970a7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/adf3534c37d75d16fbefd668a7b0bc2a7797315e77b2a9bf4b985884b0cafbed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349260/

Comments