MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884
SHA3-384 hash:	4e389f3cfb59d463fb33766cf68b3fb49dda6f3b21542314dee7479344a043b8c10dee7b5fd9c8a2bc32a0f492671c88
SHA1 hash:	dee0ebac7bcd49109d56a896d12dbc142e46f3db
MD5 hash:	38daa65155587e7fea048f60ab55ee6b
humanhash:	wyoming-mobile-chicken-white
File name:	b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	4'968'336 bytes
First seen:	2021-08-05 07:49:25 UTC
Last seen:	2021-08-05 09:22:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep	98304:8SijExiybDRi7Eh6M4NnyWrsh85GraC/MDkr+DidXvh6d204OOR5qUf:GExiWR1kMAybhRmpLgJ6M8YYE
Threatray	90 similar samples on MalwareBazaar
TLSH	T14536123FB268653ED46A0B3246B3D350987BBA61B91A8C1F17F0091DCF664A10E3F756
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe Knassar DK ApS NetSupport signed

Code Signing Certificate

Organisation:	Knassar DK ApS
Issuer:	DigiCert EV Code Signing CA (SHA2)
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-03-04T00:00:00Z
Valid to:	2022-03-09T23:59:59Z
Serial number:	025020668f51235e9ecfff8cf00da63e
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	c3692225dad4b5b1ff909f3a769cd913f644a93b1953e149cfd612848af02007
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

288EF7708FC85BCCFB47C21943727B39.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-24 19:24:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f76b32a4-7ce8-4ca3-8ef2-83ce8df7b4c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176567/

Detection(s):

PUA.Win.Packer.Exe-6

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d01bdcbc-6b67-4511-a816-c1148c03ae68

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

rans.evad

Score:

26 / 100

Link:

https://www.joesandbox.com/analysis/827811

Signature

Contains functionalty to change the wallpaper

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884/

Threat name:

Win32.Infostealer.ChePro

Status:

Malicious

First seen:

2021-06-24 19:23:22 UTC

File Type:

PE (Exe)

AV detection:

15 of 47 (31.91%)

Threat level:

5/5

Verdict:

unknown

Similar samples:

01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9

07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e

111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c

7879720cfa32665c40e8ffaaa0171ed47563698960d5885d20e0b6a7af8e08ff

7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1

7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548

827a427d329e934f5ff7826d647034818a56a69445aa97d08cc74bf801fcf0c2

978b4ac05a227b23ef7e4fadff92966339ba1413bac5a45e93f83a3064f8fd2f

9bb6f6446c4460f5cfc15f2c70bb6202caaf437553ce97b0c3ef196a582fca32

fe46c8f8924406e17a3e3a971abe4da511788e338ba438de9ac5a67c67335759

+ 80 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210805-aazvnbw2g2/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

25a6b49a3886d0c4c95427cbf65576241cf6c79b6f4ac8cf98c0f4c5cd11eae2

MD5 hash:

13359f2ce34a0fcb7b826b1699cba1b7

SHA1 hash:

43e74b681e1f54dadd575b08291c85291cbb847b

Link:

https://www.unpac.me/results/bdee712d-c4c4-4637-ab75-34b3cfbe9e7b/

SH256 hash:

b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884

MD5 hash:

38daa65155587e7fea048f60ab55ee6b

SHA1 hash:

dee0ebac7bcd49109d56a896d12dbc142e46f3db

Link:

https://www.unpac.me/results/bdee712d-c4c4-4637-ab75-34b3cfbe9e7b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b3a2bc42672492c4a0d3a7fa4f0ad1352f3ccbc245903fd6010079903656f884

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/176567/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample