MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d
SHA3-384 hash: 8e795484e2423c3f941fe3ec2aaa12220a0a52c73c343a7b0e0264240498167793dfd79087c08cbb2102872057f4776f
SHA1 hash: f394fec44a820e2cd62c5a9398b55d032b320d17
MD5 hash: b597ebcdc3a17e62d141451e3a7e611a
humanhash: texas-fix-lemon-arizona
File name:b597ebcdc3a17e62d141451e3a7e611a.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:6'220'672 bytes
First seen:2022-08-15 11:15:21 UTC
Last seen:2022-08-15 12:12:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 98304:2kLMk6WkBi7yFBVoPYLGLrx1mz58jZoWV8L6bmkc9gmjVRbbUlPB645YA3+/J6Z5:BMknksyC02rx1/ocWpxj/U8RA8E
Threatray 386 similar samples on MalwareBazaar
TLSH T1FC56123FB268753ED5AA0B7216738360997BBAA1B80A8C1F17F4080DCF665601F3F655
TrID 59.6% (.EXE) Inno Setup installer (109740/4/30)
22.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4416e8d4d4d496dd (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport signed

Code Signing Certificate

Organisation:Rbit Limited
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-03T00:00:00Z
Valid to:2022-12-02T23:59:59Z
Serial number: 0d848b64f0e176904ffc50de2497d6e8
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a55299c441b7f90db1e464f13a35d67ed75d30b5ec158c910756f6640015b882
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
NetSupport C2:
95.217.192.144:9999

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.217.192.144:9999 https://threatfox.abuse.ch/ioc/843269/

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b597ebcdc3a17e62d141451e3a7e611a.exe
Verdict:
Malicious activity
Analysis date:
2022-08-15 11:16:05 UTC
Tags:
installer
Link:
https://app.any.run/tasks/161bd1f7-afa4-4251-93e8-354275f87c6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298641/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28985/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
netsupport overlay packed remoteadmin setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62fa2af7080024921b7a7251/reports/cfaa82fb-8759-4402-abca-380d769c0895/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/617f1733-f480-4716-a73b-4080d7cb8ea2
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj.evad
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1051466
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-08-09 14:37:00 UTC
File Type:
PE (Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhb526l5fjmq3jrmjasnmwfnrxwpd3i77j337ksh6pyssztvpigq._file
Verdict:
malicious
Similar samples:
09382dc05e7e784bcc2c4307ff151a0959bec4f5b984b77b2c257ef189b86665
NetSupport
11a7b5537ad0eebf531ae247203c2d8646f1bbcfcb95b195efa385429c4e2241
NetSupport
3a1625ebc4e9afe5205ccaac0a98723523d8e222181a76eea8f6e5402960a28f
NetSupport
43ce35a2995cbd1d746f3b5028a07a4e153d40834567ec0576540f06f4dadbd8
NetSupport
64876237acae65667fe8f7ab3ffb01c5674249fa72645e95402e53202b988ea3
NetSupport
802d22bf67b8513307c580f5eab0c07434f0791aa451a47dc261681ab0ddfd29
NetSupport
b91fa9a1d21c823b0a974570af93cc88234eaafb4126909abfe4cac36a91b0c9
NetSupport
d0317ad7c973c5aa91f1e930093916db9969fd023e00efd89e01bd7fb7408016
NetSupport
+ 376 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220815-nc5e4acge8/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f31cbfe95412d3c62c09e0b4bd0376880a9eca3523990cd0e9cc674e3b4f19a3
MD5 hash:
cc56128e3330eef1e32e339dd30c8e48
SHA1 hash:
e063e7363997be5e54f1eb5a4d521d0e8c6091dd
Link:
https://www.unpac.me/results/23e4c376-0dbd-4064-8ce7-d7876f17d338/
SH256 hash:
b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d
MD5 hash:
b597ebcdc3a17e62d141451e3a7e611a
SHA1 hash:
f394fec44a820e2cd62c5a9398b55d032b320d17
Link:
https://www.unpac.me/results/23e4c376-0dbd-4064-8ce7-d7876f17d338/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298641/

Comments