MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b55857083f5c118c9ef16f16525872b672c51cbb4269990d7f7dce3d00bd1934. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	b55857083f5c118c9ef16f16525872b672c51cbb4269990d7f7dce3d00bd1934
SHA3-384 hash:	be7fabb14cc90b8b9eb83301325fd6781370c2186fae56c71631aa6fe2a1b36f6d90247cfc35cf343d2859bdd2073dcc
SHA1 hash:	8a9bc6b476e56c1f6646e303b8130085b302afc1
MD5 hash:	2d9fc8925ff2fdeb566e132d0ce70eb7
humanhash:	four-table-pip-idaho
File name:	2d9fc8925ff2fdeb566e132d0ce70eb7.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'773'355 bytes
First seen:	2022-11-25 09:35:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f3173778f088ce2b56b8257bfe393419 (6 x NetSupport, 1 x njrat, 1 x RedLineStealer)
ssdeep	49152:BjgqXD9JMTUnjw/SS+D1H29m4mWNx4F5yWCVvAiTe/WHl6du6XcsRebX:BjHX7MTujw/SlNgN1vRe/WHYdu6MsRIX
Threatray	450 similar samples on MalwareBazaar
TLSH	T126D5F0A1287CF02ED341923DE572CFF5A5296CA1E5D010B7AA953EEB3D7241385236CE
TrID	32.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.7% (.SCR) Windows screen saver (13097/50/3) 11.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	0f969696170f9696 (1 x NetSupport)
Reporter	abuse_ch
Tags:	exe NetSupport

abuse_ch

NetSupport C2:
185.158.251.35:4421

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://artisanmtrading.com/risk/Fraud-cases_risk_transactions_pdf.zip

Verdict:

No threats detected

Analysis date:

2022-11-22 13:20:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3918a00c-75e2-4b1e-a3ef-af6c0f242f9b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/338395/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL

PUA.Win.Packer.Pseudosigner-36

PUA.Win.Packer.BorlandDelphiKo-1

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Sending a custom TCP request

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed remoteadmin shell32.dll virus

Link:

https://www.filescan.io/uploads/63808c835be128ac718ec52b/reports/619bf406-b4bb-47cc-818d-841de2d9f9d7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/619b6331-7161-46bc-9489-17ef9ed7833d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1121047

Signature

Antivirus detection for URL or domain

Delayed program exit found

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b55857083f5c118c9ef16f16525872b672c51cbb4269990d7f7dce3d00bd1934/

Threat name:

Win32.Trojan.NetSup

Status:

Malicious

First seen:

2022-11-22 00:42:02 UTC

File Type:

PE (Exe)

Extracted files:

461

AV detection:

27 of 41 (65.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wvmfocb7lqiyzhxrn4lfewdswzzmkhf3ijuzsdl7pxhd2af5de2a._file

Verdict:

suspicious

NetSupport

28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8

NetSupport

5a7de361bcc0ff503cf974023547853abe74c8bc336bcd04983dd42a39b4015a

NetSupport

6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8

NetSupport

bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b

NetSupport

c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f

NetSupport

db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856

NetSupport

fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5

NetSupport

+ 440 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport rat

Link:

https://tria.ge/reports/221125-lkxdcagd27/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

NetSupport

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8ce81683-3a32-47b5-bed7-ce63f5372907

Unpacked files

SH256 hash:

683235142ee49408c006af323698db2f09dcaf5ec3c0cfba42bdd1de42c2eb07

MD5 hash:

3d156a2bfaeea496991179538844062e

SHA1 hash:

eec270e16c5b505d3e776ba131d9e72581a1331e

Link:

https://www.unpac.me/results/c0fc42c2-345e-4641-86e2-1920ea36a74b/

SH256 hash:

81f3a2bd45c0c29d58dae311536261d92d862396115bcbe584046b60ee8ce791

MD5 hash:

d6a5ee6a7bb839cda61ac3edcc0927b6

SHA1 hash:

e034d5be950513b2b6000f89e1aa594b468a9c76

Link:

https://www.unpac.me/results/c0fc42c2-345e-4641-86e2-1920ea36a74b/

SH256 hash:

fc8556900dd9583a376edf32b159594d70f996fa37767326d2fb4aea8f7330c6

MD5 hash:

1d13182dcfc79c8af83f6dc45603e923

SHA1 hash:

d9e7e3fc93ef0ce7de8cc338591d380d01c2dcf1

Link:

https://www.unpac.me/results/c0fc42c2-345e-4641-86e2-1920ea36a74b/

SH256 hash:

c1c5768897e116792fd7c9db3ffc0e8473eec66cc7a1aa6c06afe5b11f5825d2

MD5 hash:

5117dd405ddd877746a7481fbb956e79

SHA1 hash:

8425fad71324d637405444a29c18b4d84f948baf

Link:

https://www.unpac.me/results/c0fc42c2-345e-4641-86e2-1920ea36a74b/

SH256 hash:

d0f8f28dfb24d702d7d555cf7945530bed03ccb57dcca772a9a016134a4b66b8

MD5 hash:

17fa6d6b04d9fa0a09719f164a872c8b

SHA1 hash:

5eaba33ad473efab8fe81f6a869a912e6fe026b0

Link:

https://www.unpac.me/results/c0fc42c2-345e-4641-86e2-1920ea36a74b/

SH256 hash:

ec69eba414c121c3f14d8d147522320a4551fefc1ed700eb50c450862dd84221

MD5 hash:

69193e7d3fde5d8b6dd2616a7cece063

SHA1 hash:

12725f83f40d905f883527ce15d55af2fe59a6c7

Link:

https://www.unpac.me/results/c0fc42c2-345e-4641-86e2-1920ea36a74b/

SH256 hash:

b55857083f5c118c9ef16f16525872b672c51cbb4269990d7f7dce3d00bd1934

MD5 hash:

2d9fc8925ff2fdeb566e132d0ce70eb7

SHA1 hash:

8a9bc6b476e56c1f6646e303b8130085b302afc1

Link:

https://www.unpac.me/results/c0fc42c2-345e-4641-86e2-1920ea36a74b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NetSupportManager RAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b55857083f5c118c9ef16f16525872b672c51cbb4269990d7f7dce3d00bd1934

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/338395/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample