MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f
SHA3-384 hash: 33311e64f7a48289cf37db01e2a19b9f30d521231957705408458d0407913c345aa24e7d4e6e75fb856d45f100543031
SHA1 hash: b00e619270665c52a6d51ab9cd119aceaa34cd24
MD5 hash: 88eb1f48be9f402a57f604c0a9aae82e
humanhash: bakerloo-salami-illinois-pasta
File name:B6A0CC1E5488C0C9F1429D1744F8C2F81F7DCE4229B83.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'595'840 bytes
First seen:2022-02-14 19:31:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 49152:pEl3r2sbp0Y5B87b4ECTHj7BLWE8uT9hMVtYgtmQH2LIU/3Wwe/J9oMSMf:qqsbfKHwTHfBz8AmLfmQW3Wwe/J9gMf
TLSH T1D8C5334EABD419AAE0768F704AB156C71A327C516B39C5DF668C8C3F6E233D06630F52
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
185.225.19.97:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.225.19.97:1203 https://threatfox.abuse.ch/ioc/387766/

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/download/b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f/
Verdict:
No threats detected
Analysis date:
2022-02-15 01:22:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4f39629-78a1-48f1-a6fe-df1ca7dca21a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241482/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.12681.9623.3020.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Searching for synchronization primitives
Connecting to a non-recommended domain
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Possible injection to a system process
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll control.exe explorer.exe packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/620aae3854047500bb55785b/reports/25b6d667-5844-4d8d-baf7-37bccdd00198/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b68ad970-f54e-4fab-8c4f-1c16728420c3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939696
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572170 Sample: B6A0CC1E5488C0C9F1429D1744F... Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Antivirus detection for URL or domain 2->109 111 Antivirus detection for dropped file 2->111 113 4 other signatures 2->113 9 B6A0CC1E5488C0C9F1429D1744F8C2F81F7DCE4229B83.exe 1 4 2->9         started        12 msiexec.exe 98 63 2->12         started        14 AdvancedWindowsManager.exe 2->14         started        17 4 other processes 2->17 process3 dnsIp4 73 C:\Users\user\AppData\Local\...\Adobe_1.exe, PE32 9->73 dropped 75 C:\Users\user\AppData\Local\...\Set-up.exe, PE32 9->75 dropped 19 Adobe_1.exe 15 9->19         started        24 Set-up.exe 9->24         started        77 C:\...\Windows Updater.exe, PE32 12->77 dropped 79 C:\...\AdvancedWindowsManager.exe, PE32+ 12->79 dropped 81 C:\Windows\Installer\MSIC991.tmp, PE32 12->81 dropped 83 21 other files (none is malicious) 12->83 dropped 26 msiexec.exe 3 12->26         started        28 msiexec.exe 3 59 12->28         started        30 msiexec.exe 12->30         started        99 110.t.keepitpumpin.io 163.172.204.15, 49882, 8080 OnlineSASFR United Kingdom 14->99 32 conhost.exe 14->32         started        101 111.t.keepitpumpin.io 212.83.141.61, 49883, 8080 OnlineSASFR France 17->101 103 113.t.keepitpumpin.io 212.83.164.166, 49881, 8080 OnlineSASFR France 17->103 105 112.t.keepitpumpin.io 212.83.164.37, 49879, 8080 OnlineSASFR France 17->105 34 conhost.exe 17->34         started        file5 process6 dnsIp7 85 www.tikto.pw 23.106.59.46, 49750, 80 LEASEWEB-UK-LON-11GB United Kingdom 19->85 87 findmemolite.com 46.101.214.246, 49752, 80 DIGITALOCEAN-ASNUS Netherlands 19->87 89 d39d3ulzmek390.cloudfront.net 13.225.29.103, 49748, 49749, 49751 AMAZON-02US United States 19->89 51 C:\Users\user\AppData\Local\...\installer.exe, PE32 19->51 dropped 53 C:\Users\user\AppData\Local\...\setup.exe, PE32 19->53 dropped 55 C:\Users\user\AppData\Local\...\nsisdl.dll, PE32 19->55 dropped 115 Antivirus detection for dropped file 19->115 117 Multi AV Scanner detection for dropped file 19->117 36 installer.exe 66 19->36         started        41 setup.exe 1 20 19->41         started        57 C:\Users\user\AppData\Local\Temp\shiCA3.tmp, PE32 26->57 dropped 59 C:\Users\user\AppData\Local\Temp\shiB0B.tmp, PE32 26->59 dropped 119 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->119 121 Opens network shares 26->121 91 pstbbk.com 157.230.96.32, 49784, 80 DIGITALOCEAN-ASNUS United States 28->91 93 collect.installeranalytics.com 3.209.18.1, 443, 49790, 49792 AMAZON-AESUS United States 28->93 95 192.168.2.1 unknown unknown 28->95 61 C:\Users\user\AppData\Local\...\shi2DC7.tmp, PE32 28->61 dropped 63 C:\Users\user\AppData\Local\...\shi2C5F.tmp, PE32 28->63 dropped 43 taskkill.exe 1 28->43         started        file8 signatures9 process10 dnsIp11 97 collect.installeranalytics.com 36->97 65 C:\Users\user\AppData\...\Windows Updater.exe, PE32 36->65 dropped 67 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 36->67 dropped 69 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 36->69 dropped 71 4 other files (none is malicious) 36->71 dropped 123 Multi AV Scanner detection for dropped file 36->123 45 msiexec.exe 36->45         started        47 conhost.exe 43->47         started        file12 signatures13 process14 process15 49 conhost.exe 47->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f/
Threat name:
Win64.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 00:37:54 UTC
File Type:
PE+ (Exe)
Extracted files:
124
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2qmyhsurdamt4kctuluj6gc7apx3tscfg4del55vucdzwiijmpq._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery evasion persistence rat trojan upx
Link:
https://tria.ge/reports/220214-x8y3maaea4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Drops startup file
Loads dropped DLL
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Sets file execution options in registry
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender notification settings
NetSupport
Registers COM server for autorun
Unpacked files
SH256 hash:
b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f
MD5 hash:
88eb1f48be9f402a57f604c0a9aae82e
SHA1 hash:
b00e619270665c52a6d51ab9cd119aceaa34cd24
Link:
https://www.unpac.me/results/6f00c651-d2a3-4369-ba9d-5f207b428e4e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b6a0cc1e5488/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241482/

Comments