MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b
SHA3-384 hash: 383c3ddad8f80c34e42b5b7f3b58da853fdf7f7488078e275183c08a84f4942bbca849471f86d7e8182acc11213ba753
SHA1 hash: 523be6fdb9b5740146f5d24b17193cf62ff4c35f
MD5 hash: e3763ad6ab1f66bfd0240db96ccdc0be
humanhash: india-india-zulu-delaware
File name:Cloudflare_security_install.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:36'081'878 bytes
First seen:2022-09-15 11:26:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fdea00646d77e95955396ef4ea72bea5 (2 x NetSupport, 1 x Babadeda, 1 x ArkeiStealer)
ssdeep 786432:SQRwdPcR5MRDY8X9XRTuCpZD7U4qRVOtIqNi0f9jphU7oDM8ETp9a6KPih:1RwdPcR5uDYg1pZfUNRctpNi0f9dhU7r
Threatray 106 similar samples on MalwareBazaar
TLSH T179872345EA8760F1EC530970C15BF76F4B20BE019024CDBDEE487E9CED73A96660A35A
TrID 34.8% (.EXE) InstallShield setup (43053/19/16)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
13.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 04d0988ec331ce00 (2 x NetSupport)
Reporter abuse_ch
Tags:Babadeda exe NetSupport she32rn1-com socgolish


Avatar
abuse_ch
Payload URL:
https://tcfsfireandsafety.com/Cloudflare_security_install.iso

NetSupport C2:
she32rn1.com:5511 (23.227.193.80)

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
Cloudflare_security_install.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 08:17:25 UTC
Tags:
installer unwanted netsupport
Link:
https://app.any.run/tasks/3378ebe7-95c5-4b0f-8862-c7e811348014

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Searching for synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a service
Enabling autorun for a service
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37692/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/63230c106da26524a140c32f/reports/43c384cd-1bd3-45ed-9a7c-037d933af972/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1070840
Signature
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703381 Sample: Cloudflare_security_install.exe Startdate: 15/09/2022 Architecture: WINDOWS Score: 64 52 Multi AV Scanner detection for dropped file 2->52 54 Yara detected Babadeda 2->54 56 Sigma detected: Drops script at startup location 2->56 7 Cloudflare_security_install.exe 1 96 2->7         started        10 client32.exe 2->10         started        process3 file4 22 C:\Users\user\AppData\Roaming\...\gwspro.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Roaming\...\gp, RIFF 7->24 dropped 26 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 7->26 dropped 28 68 other files (none is malicious) 7->28 dropped 12 gwspro.exe 22 7->12         started        process5 file6 30 C:\Users\user\AppData\...30etSupport.url, data 12->30 dropped 32 C:\Users\user\AppData\...\uninstall.exe, PE32 12->32 dropped 34 C:\Users\user\AppData\...\remcmdstub.exe, PE32 12->34 dropped 36 8 other files (none is malicious) 12->36 dropped 15 uninstall.exe 74 12->15         started        18 client32.exe 18 12->18         started        process7 dnsIp8 38 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 15->38 dropped 40 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 15->40 dropped 42 C:\Program Files (x86)\...\psmachine_64.dll, PE32+ 15->42 dropped 44 65 other files (none is malicious) 15->44 dropped 46 23.227.193.80 HVC-ASUS United States 18->46 48 8.8.8.8 GOOGLEUS United States 18->48 50 195.171.92.116 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 18->50 58 Multi AV Scanner detection for dropped file 18->58 file9 signatures10
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlktivao2v24ee55gt7b6iog77ffqfu6tsoigzuxjhb7ny4y5jfq._file
Verdict:
malicious
Similar samples:
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
NetSupport
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
NetSupport
8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64
NetSupport
b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d
NetSupport
c0a2b7fadd4a95724bde0514baca54dd68fb6aa14237df8bd65b7243e1f68b41
NetSupport
d2f9dc8e7278a2ec0aa634536ac8d23db209aba8ca0e109ce80469c27517ab33
NetSupport
df5b822cfb367fb862dce788d16009b0299461c8543c5098009fb85dd2150170
NetSupport
+ 96 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:babadeda family:netsupport crypter discovery evasion loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220915-nkeveagfar/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Checks whether UAC is enabled
Maps connected drives based on registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Registers COM server for autorun
Sets file execution options in registry
Babadeda
Babadeda Crypter
NetSupport
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1d54c5ea-c4b6-4657-b2e4-a940e91cf83d
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bad534540ed5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2303490/
  
Link
https://threatfox.abuse.ch/ioc/849827/
  
Link
https://threatfox.abuse.ch/ioc/849826/
  
Delivery method
Distributed via web download

Comments