MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
SHA3-384 hash: e6096796909f8503f8ebcfa68c0db53e31630a8b45b21ddc2d1f295a19a0ed7a82d2b5f8bbf528aa83abd8faea7327b7
SHA1 hash: c07f0a02c284b697dff119839f455836be39d10e
MD5 hash: 252dce576f9fbb9aaa7114dd7150f320
humanhash: five-diet-eighteen-arkansas
File name:taskhostw.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:112'176 bytes
First seen:2022-01-31 22:06:58 UTC
Last seen:2022-08-15 13:34:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9d50692e95b79723f3e76fcf70d023e (10 x NetSupport)
ssdeep 768:c5VZl6FhWr80/0fyXt/cfdtVJvriXiRzi:c90hG8f8dcFPVWXiI
Threatray 4 similar samples on MalwareBazaar
TLSH T152B3B84F468DE073EA52E93CC4859B044D60BDC8B5B058FB11AEF23E3E7278D6B6415A
File icon (PE):PE icon
dhash icon 4d2d52417121a151 (11 x NetSupport)
Reporter AndreGironda
Tags:exe NetSupport signed

Code Signing Certificate

Organisation:NetSupport Ltd
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2017-09-15T00:00:00Z
Valid to:2020-09-22T23:59:59Z
Serial number: 79906faf4fbd75baa10b322356a07f6d
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: fcd6a7e626908dc8e5d3ce6fc9350ec099c42fb1ad1231a75208b54754985089
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
AndreGironda
MITRE T1566.002
Date: Tue, 01 Feb 2022 02:30-03:00 +0530
Received: from mailserver.cms502.com (45.35.190.176)
Subject: Re: RE: [EXTERNAL] Monday 12/13 Lunch
X-PHP-Script: drarpit.com/wp-content/plugins/wp-roilbask/includes/class-send.php for 180.245.92.151
X-PHP-Filename: /home/drarpit/public_html/wp-content/plugins/wp-roilbask/includes/class-send.php REMOTE_ADDR: 180.245.92.151
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary=e390b425167a3a0f253872f1b61ca8bf
From: Sara Roodbari (C) <SaraRoodbari(C)@drarpit.com>
Reply-To: SaraRoodbari(C)@drarpit.com
Message-Id: <E1nEe5K-00ACgC-Sf@g4.cms502.com>
X-Get-Message-Sender-Via: g4.cms502.com: authenticated_id: drarpit/from_h
X-Authenticated-Sender: g4.cms502.com: SaraRoodbari@drarpit.com
X-Source-Dir: drarpit.com:/public_html/wp-content/plugins/wp-roilbask/includes
X-Exim-Id: E1nEe5K-00ACgC-Sf
Return-Path: drarpit@g4.cms502.com
Message Body URL: hXXps://daneshdimond[.]ir/k/cds/8rZPQIw7_COcQ6C.zip
Plant URL Zipfile Name: 8rZPQIw7_COcQ6C.zip
Zipfile SHA256: 77e5a654a6acb3f1da73ccbfd243798d8dec3d9a185f21c871778dab32b77459
Zipfile Password -- DT3101
XLL Name: document[2022.01.31_20-06].xll
XLL SHA256: e11f17e247389f90f4dee59f4427bad088d369632cd2f77529af978b2926eee9

rundll32 C:\Users\Admin\Qlib.dll , huhovnae
BazaLoader DLL SHA256: 11c472b23a37113c686b264e110a0e230ab9850783931d122e6589c91c414677
NetSupport Executable SHA256: b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad

Intelligence

File Origin
# of uploads :
3
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SkGrjlci.zip
Verdict:
Malicious activity
Analysis date:
2021-04-21 15:00:23 UTC
Tags:
netsupport unwanted
Link:
https://app.any.run/tasks/9fe56455-9731-4fb4-9ca8-9bbe33eb215b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/228785/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.889.1232.5132.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed remote.exe
Link:
https://www.filescan.io/uploads/61f85d8918d1bfdde4e3e3e6/reports/fea343db-5479-486a-a490-f655a1c79a42/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3ef300fa-d093-44d2-88b4-c7a42782a9a0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/931276
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad/
Threat name:
Win32.Trojan.NetSup
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 01:46:11 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
41e82e314fceb906d8618dbaa5d622cdea1b453ed74e3d358b5aafee0030490a
NetSupport
676855ec417547222bff9b45b7ab109f0d58c4b2cc9b2ad00e0304f5915de1ec
NetSupport
Unpacked files
SH256 hash:
b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
MD5 hash:
252dce576f9fbb9aaa7114dd7150f320
SHA1 hash:
c07f0a02c284b697dff119839f455836be39d10e
Link:
https://www.unpac.me/results/969a886d-51ec-4dbd-95c1-650542c2e69c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_79906faf4fbd75baa10b322356a07f6d
Create hunting rule
Author:ditekSHen
Description:Detects NetSupport (client) signed executables

File information

The table below shows additional information about this malware sample such as delivery method and external references.

NetSupport

DLL dll 11c472b23a37113c686b264e110a0e230ab9850783931d122e6589c91c414677

NetSupport

Executable exe b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad

(this sample)

  
Link
https://tria.ge/220131-z8qglacfg6
  
Dropped by
SHA256 11c472b23a37113c686b264e110a0e230ab9850783931d122e6589c91c414677
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/228785/

Comments