MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b238491cbf41c1927953a5907b8e1782375602e5a6b62d32dc686fd8e866f421. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b238491cbf41c1927953a5907b8e1782375602e5a6b62d32dc686fd8e866f421
SHA3-384 hash: 2841319a0173d6ffa30a1df122dfe2b5b0f59f87be5a179f552fe91c9391700a4b5e6231405a38c77a681614699e2b38
SHA1 hash: 7fe98e503bf6bb4f2104c15f86b02880ec112fc6
MD5 hash: 06e59bcca37006851032f99abfdc6918
humanhash: king-magazine-michigan-hamper
File name:06e59bcca37006851032f99abfdc6918.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'660'415 bytes
First seen:2022-05-28 17:16:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf8e93937f9e7494ce0335cf5d059356 (8 x NetSupport)
ssdeep 49152:/yrIitxv7IehafNELosmBMRdBmmnQI2KlDF+eXU/sJCKeZxEzhReGS:/yrXxTvhalEomDRdq0JWQjpS
Threatray 122 similar samples on MalwareBazaar
TLSH T13EC52311F3C825BAC8294B70CDA6D534C37B3D746AB8E40DBB86372F75B19268297B11
TrID 73.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13101/52/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 60646060eeec6c89 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
160.20.147.39:3377

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
160.20.147.39:3377 https://threatfox.abuse.ch/ioc/643057/

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
06e59bcca37006851032f99abfdc6918.exe
Verdict:
Malicious activity
Analysis date:
2022-05-28 17:19:38 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/a4713f67-bcfb-4546-862b-606c869fe478

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275179/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Pseudosigner-36
Create hunting rule

PUA.Win.Packer.BorlandDelphiKo-1
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware netsupportmanager overlay packed remoteadmin shell32.dll update.exe
Link:
https://www.filescan.io/uploads/629258e96eb3ff3263390434/reports/1cadc89a-9797-452d-8dde-d4aa6fc3a691/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parrot TDS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/092223d2-f8f8-405f-a5f3-b459381b4e5d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1003135
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-04-01 17:35:27 UTC
File Type:
PE (Exe)
Extracted files:
478
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wi4eshf7ihaze6ktuwihxdqxqi3vmaxfu23c2mw4nbx5r2dg6qqq._file
Verdict:
malicious
Similar samples:
079a241c6823b3b60bc10eb136434853d48b552a2d274fa43df6c493e01b64f4
NetSupport
4462791b16636d3c286bd48038c417dc8341904b676840aa5ee638380f133d07
NetSupport
48d8e801a917f6d84cb7c144358302402e0f03f8a3667cdbf4be5ad95ec32c6a
NetSupport
64311876870149d62508ee333c179725755f897f1d2e50d53bc4f85d32dde784
NetSupport
6fe99e1ad9f91735ffecf032c4bc4f57a16a21f104a34442381b23b259fd9c9c
NetSupport
9a7460335390cb370f8b6c6f35acb4124580a14a8e8231498d0bc08c8d0c65d3
NetSupport
+ 112 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/220528-vtnx1adac2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
712ff54148b9eb195057e48f8d30f2f05abc6a980c5d9bdf552ceb4507c1cfb9
MD5 hash:
5d2303e4ff60395b01b0d9d3a9481718
SHA1 hash:
f9cf9faafe79f4c1714cce4ae7726c98653c097a
Link:
https://www.unpac.me/results/34ab2cb7-316e-4b12-8290-5d0028d6a302/
SH256 hash:
2025eaca35bc0ae40dc35b665f919c0e868dacb9a6cbbffea6f42c8380c375a3
MD5 hash:
d6afe503514b3c2cc62ff03d46777d30
SHA1 hash:
ea765faf0b6cb3b72b4628d5a5764b76c2804356
Link:
https://www.unpac.me/results/34ab2cb7-316e-4b12-8290-5d0028d6a302/
SH256 hash:
7ad690c34bb26904fc2321991f21c9f0c91893dc9c5bb9ae0890457a533433fe
MD5 hash:
6493ce272814d37c709cb44e916a24c2
SHA1 hash:
d231c14e0ea45b95a5c074ec2420877cb681b5da
Link:
https://www.unpac.me/results/34ab2cb7-316e-4b12-8290-5d0028d6a302/
SH256 hash:
f0d305e9ea81296bbad0d1fad08f9db7ef9b400d1bc4340146e38910d629ca2a
MD5 hash:
53267e76d05e98fcd27856eeb4e12c0b
SHA1 hash:
80008356fe0659e54e1bf2f7bbf08842db70e24f
Link:
https://www.unpac.me/results/34ab2cb7-316e-4b12-8290-5d0028d6a302/
SH256 hash:
c14f52f2f2ff6849f62aec0d673a30b642ace947b87bac737b1042c2ca85e2a7
MD5 hash:
cd90644efd4ec4bf9d63bf7e5b374fb8
SHA1 hash:
56e23964cf6589eee766b003d04a8df8a0b085b9
Link:
https://www.unpac.me/results/34ab2cb7-316e-4b12-8290-5d0028d6a302/
SH256 hash:
460d715b3d5a7d6e9dd5f9429be99d8780075a1eb401ee47f1df11d7ca0ef580
MD5 hash:
5141a2c24263b4d2fe4f060a4ffe4df3
SHA1 hash:
20b47aa9430c966c0d5536d91ff4a357dc0a5f7b
Link:
https://www.unpac.me/results/34ab2cb7-316e-4b12-8290-5d0028d6a302/
SH256 hash:
b238491cbf41c1927953a5907b8e1782375602e5a6b62d32dc686fd8e866f421
MD5 hash:
06e59bcca37006851032f99abfdc6918
SHA1 hash:
7fe98e503bf6bb4f2104c15f86b02880ec112fc6
Link:
https://www.unpac.me/results/34ab2cb7-316e-4b12-8290-5d0028d6a302/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b238491cbf41c1927953a5907b8e1782375602e5a6b62d32dc686fd8e866f421

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275179/

Comments