MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041
SHA3-384 hash: 61ba70dfec829f99b96b22a335894e1b2f8028df48db58b1c45a15fbc2e168d7e94112ef32a3a069bbdbb98c8de901c9
SHA1 hash: 09bbc125d5e7fba8bfbd1c26b71c7f0496b7e574
MD5 hash: 5331532e760e8d1006f09ab8be38efe4
humanhash: echo-tango-whiskey-dakota
File name:5331532e760e8d1006f09ab8be38efe4.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'619'980 bytes
First seen:2023-03-21 15:15:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f4f257947c1b713ca7f9bc25f914039 (4 x NetSupport, 1 x AsyncRAT)
ssdeep 49152:xFeJD6gLQsN5kEtXhd9Gvf6Hgx6nlhXesKb40lKSm8:GD95kEtP9Gvf6AO5IMMKu
Threatray 80 similar samples on MalwareBazaar
TLSH T196C5DE6AED4EC2A3FF98C27BD42AC6F477F04D50D85D5237A859BF457232EA43286204
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 0e170f8c17079696 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
168.100.8.39:2105

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
5331532e760e8d1006f09ab8be38efe4.exe
Verdict:
Malicious activity
Analysis date:
2023-03-21 15:18:13 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/f9572233-3c8c-4e11-aace-d6c57ce9e18d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed remoteadmin shell32.dll
Link:
https://www.filescan.io/uploads/6419ca33da1bbe29caf95477/reports/93399431-35e9-49c4-b157-af4b3af48cd4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/637f16b5-8f7f-459f-8bc0-c3f840674153
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1198674
Signature
Found potential ransomware demand text
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtqn3t3jmmng6jdrrrvcl32o5ywbhvlklapmj4ic5e4iwon7wbaq._file
Verdict:
malicious
Similar samples:
36347ad88c3fd960152b88022381308c68b39dde29a1e2d471148cb01e76bb3c
NetSupport
77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8
NetSupport
8301d30f35705f82c85b56c51fc9f79f9071c3cb3e984b9c55aefe98b830cfc6
NetSupport
8ccff473270017f72b0910ea0404d670cc6c0ebee16977accc7cbcf137ba168b
NetSupport
8f74c5871c33b4bf63b43f3e7e216dae1cc92e79cd0035422c8eb6768b98dc06
NetSupport
c97adcbfb32cd9719b5067c875527e7434409e0bcddeb6b50fc51b255a94c52f
NetSupport
d88b08d7811ea62dcedcbd7f6e881c8a002ec1f30979d5a99d6d7b549fe8d2b4
NetSupport
+ 70 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230321-snfnbsbf75/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
3b449af695d92e3232107f32ae052e09e312dfdc69096f6655933378bd71e101
MD5 hash:
a194264926757c920977e75e32317663
SHA1 hash:
f1cc5dc4655c9e690631fa813b1c9b16c0a20a2b
Link:
https://www.unpac.me/results/2538174b-c889-4414-9ca0-96f42f33e8f7/
SH256 hash:
7fc8794f1ce95eed49799a8d89672c9db3d80677e28ca61c54b5972ebb1839df
MD5 hash:
3bb46301f2f54959cdef6b7b520c4a74
SHA1 hash:
e30e1e86c73a653629119c71a849a16ca0a9d546
Link:
https://www.unpac.me/results/2538174b-c889-4414-9ca0-96f42f33e8f7/
SH256 hash:
279423a114710efffd90be0cf997063e5d53feabdabd5d00968837b6bcd386f3
MD5 hash:
1feefd26e5ab5645822f84eebeb44b55
SHA1 hash:
b4fa99f3e1165fad76fc18a1565ef2a26636d7d7
Link:
https://www.unpac.me/results/2538174b-c889-4414-9ca0-96f42f33e8f7/
SH256 hash:
209c0d6356baede4f5fa9f7719b660283abf2e0a8ee26a165c327989a85709da
MD5 hash:
f99ecc4cbf741fec9c6b5c3285603980
SHA1 hash:
a04b12572bed4df10a33b5c8fb8755ea05f6dc33
Link:
https://www.unpac.me/results/2538174b-c889-4414-9ca0-96f42f33e8f7/
SH256 hash:
82d84a77938a22cf3ac92dd348b63d60f4cf8b63ae098afc3682b0c37eddfa41
MD5 hash:
3c2015fe903adf672d3910394da37730
SHA1 hash:
716f04aa60a005666815f59bbf19d94b4e46aaa9
Link:
https://www.unpac.me/results/2538174b-c889-4414-9ca0-96f42f33e8f7/
SH256 hash:
6e720ea9eaf790bd3bfd0b9538116f859d075cb21372730b3b61c523cb223ab5
MD5 hash:
c1e217cbfdebbe6efda449483ed26184
SHA1 hash:
266fa8bfc609caa23cf9d58b83503bcacd605591
Link:
https://www.unpac.me/results/2538174b-c889-4414-9ca0-96f42f33e8f7/
SH256 hash:
b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041
MD5 hash:
5331532e760e8d1006f09ab8be38efe4
SHA1 hash:
09bbc125d5e7fba8bfbd1c26b71c7f0496b7e574
Link:
https://www.unpac.me/results/2538174b-c889-4414-9ca0-96f42f33e8f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments