MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514
SHA3-384 hash: f00f86918fb51e49748de6d07f405ea707e42ed3d8077bd6535310282671262f7971aa8d2c7a23f25a1de7942bff5941
SHA1 hash: 5da137ae88ea96b2cdb68aacd406b79c302d6904
MD5 hash: 81d53bf8b406dff2c33477f1a6225bf0
humanhash: ohio-kansas-johnny-paris
File name:81d53bf8b406dff2c33477f1a6225bf0
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'454'592 bytes
First seen:2023-06-20 07:16:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ad6274b75a00990cfd4f51a1d6508333 (2 x NetSupport)
ssdeep 24576:KfAEcs/3crIt5qIi7OtHS1E2oTkABMxrQsAbshp:KIE1rvU7OJwr3cnbs
Threatray 260 similar samples on MalwareBazaar
TLSH T104657E23F2C2C53FC0722A7C9D5BB699D8257D102E38A8467BE44E4C1E3974239796E7
TrID 69.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe NetSupport securiji1-com securiji2-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
81d53bf8b406dff2c33477f1a6225bf0
Verdict:
Suspicious activity
Analysis date:
2023-06-20 07:38:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ea28e71-9cb4-4e05-abfa-f84b29939ff2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400904/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.13966.32685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger lolbin shell32.dll
Link:
https://www.filescan.io/uploads/649152710f5b3414b1c80823/reports/8b44b0ae-52af-4715-a19b-14c9f94cb117/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a30d6aa4-3bce-480f-8645-0fd29cedd54a
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257979
Signature
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891001 Sample: h4xLqdzN0y.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 2 other signatures 2->44 7 h4xLqdzN0y.exe 27 2->7         started        12 client32.exe 2->12         started        process3 dnsIp4 30 drownways.com 149.100.151.190, 443, 49692 COGENT-174US United States 7->30 22 C:\Users\user\AppData\...\remcmdstub.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\...\client32.exe, PE32 7->26 dropped 28 6 other files (none is malicious) 7->28 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Found evasive API chain (may stop execution after checking mutex) 7->50 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 14 client32.exe 15 7->14         started        18 schtasks.exe 1 7->18         started        file5 signatures6 process7 dnsIp8 32 securiji1.com 209.250.244.251, 1212, 49693 AS-CHOOPAUS European Union 14->32 34 geography.netsupportsoftware.com 62.172.138.8, 49694, 49695, 49696 BTGB United Kingdom 14->34 36 geo.netsupportsoftware.com 14->36 54 Contains functionality to modify clipboard data 14->54 20 conhost.exe 18->20         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 07:17:08 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wr3xj6yzjo4ajqbyjenljs5ado2foob26bpu42y735ditcqyeuka._file
Verdict:
malicious
Similar samples:
23e9d7d9409b022e6996ade3d661136363aa739439b1c3ed404b0073e8a86bdd
NetSupport
3c502bb5021338ef3778c4dd6ca43f9afa1fbda25e0f13a5d956482eae80ac11
NetSupport
4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173
NetSupport
4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3
NetSupport
684bd7367b7f3365a7420b767632c453fa2ae68a937723cfc9b38a2381097ad6
NetSupport
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
NetSupport
b0471a55b4f76bdac67acf88eaaed2335198732afbbb5e37adec4c4346cc1edf
NetSupport
+ 250 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230620-h4c72aag23/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
1c5f0270e358fd7ea180bb0d3ff7dc1949fbd7de86f95b42ac13d5e5bf6afab7
MD5 hash:
9e5ef5a354a6410fda85d219f9434624
SHA1 hash:
f02379916b89874d2867ff80decf7083f1e2543f
Link:
https://www.unpac.me/results/63223cba-5757-4a37-ad3d-919d71ca3efd/
SH256 hash:
b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514
MD5 hash:
81d53bf8b406dff2c33477f1a6225bf0
SHA1 hash:
5da137ae88ea96b2cdb68aacd406b79c302d6904
Link:
https://www.unpac.me/results/63223cba-5757-4a37-ad3d-919d71ca3efd/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b47774fb194b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe b47774fb194bb804c038491ab4cba01bb457383af05f4e6b1fdf46898a182514

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/400904/

Comments


Avatar
zbet commented on 2023-06-20 07:16:33 UTC

url : hxxps://adrem-soft.com/vp2023.exe