MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf81ccb4452131d4b14953bd9848937647f1259d7c8e7b9083db93de278c4b54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf81ccb4452131d4b14953bd9848937647f1259d7c8e7b9083db93de278c4b54
SHA3-384 hash: 55b2983cd853a0af9301253428136eb856ce9a2cbaccdf7e6ac5f946f612eeee557240e80966fdbd20f22530776b1bc6
SHA1 hash: cea9dfe2975297258f964dc1852faa1e2ae014e8
MD5 hash: 4025b57f8a01ba6aea3896f7825602d6
humanhash: sink-cat-blossom-october
File name:BF81CCB4452131D4B14953BD9848937647F1259D7C8E7.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'900'704 bytes
First seen:2023-03-25 18:00:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f3173778f088ce2b56b8257bfe393419 (6 x NetSupport, 1 x njrat, 1 x RedLineStealer)
ssdeep 49152:vL3zTcI+5heQHcUrP4w1HK9mGWNw4FtIelqY/lt3JvU/BkQhKIAYYq:vXTB4eQHDrP4U7N3L/lt3JvvsAYY
TLSH T15CD5232372858C52D43193F94062CB7A9623FEB47970404B56F5BD3BFA731A28E16A87
TrID 32.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.7% (.SCR) Windows screen saver (13097/50/3)
11.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon c40094ccc9688068 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport signed

Code Signing Certificate

Organisation:DAMOKLES SECURITY INNOVATIONS LTD.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-24T16:45:19Z
Valid to:2023-03-04T21:45:06Z
Serial number: 5b98e466d6e65c422f7990e8
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a45ba21de64b1e2a1b02caf9934f5d20def1031cc57f5099e3fd54ce3fa2269b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
NetSupport C2:
162.33.177.5:3961

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
BF81CCB4452131D4B14953BD9848937647F1259D7C8E7.exe
Verdict:
Malicious activity
Analysis date:
2023-03-25 18:02:25 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/44fc9b85-79b8-4348-a8e4-30bb86b08910

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/377432/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.11923.27396.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.BorlandDelphiKo-1
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.6774.30868.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.3564.9146.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.19536.7356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74867/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware netsupport netsupportmanager overlay packed remoteadmin shell32.dll virus
Link:
https://www.filescan.io/uploads/641f36df39ca37cf45d0240f/reports/307b5f4d-6e35-470b-9604-8b940be7f1b4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bf81ccb4452131d4b14953bd9848937647f1259d7c8e7b9083db93de278c4b54
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60e8abfd-196f-4e2a-8877-d10c8e51c164
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1201929
Signature
Delayed program exit found
Found potential ransomware demand text
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf81ccb4452131d4b14953bd9848937647f1259d7c8e7b9083db93de278c4b54/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 03:21:24 UTC
File Type:
PE (Exe)
Extracted files:
470
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6a4zncfeey5jmkjko6zqsetozd7cjm5pshhxeed3oj54j4mjnka._file
Verdict:
malicious
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230325-wlvw1sfh5s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
fc8556900dd9583a376edf32b159594d70f996fa37767326d2fb4aea8f7330c6
MD5 hash:
1d13182dcfc79c8af83f6dc45603e923
SHA1 hash:
d9e7e3fc93ef0ce7de8cc338591d380d01c2dcf1
Link:
https://www.unpac.me/results/296a3a46-fb41-4027-ad98-27a4d17fdbcc/
SH256 hash:
1ade4aba59a90f0258ecb919891394cd0f4ab782ddb1ba2f05d6632aba1a4012
MD5 hash:
eae499f0d16d1ba75efd79debfaeff34
SHA1 hash:
c5a0cc83bc60552336bb6c904dea32d52cf92668
Link:
https://www.unpac.me/results/296a3a46-fb41-4027-ad98-27a4d17fdbcc/
SH256 hash:
f64ed3d36b1b4639d7c4200568804693909b4d92abcdbc4b50b34ddae4e90cad
MD5 hash:
5f7fae1bf0e1b421af3fcbd29c15be8a
SHA1 hash:
b7fa19abdef7310004a6704bde8653572cf71003
Link:
https://www.unpac.me/results/296a3a46-fb41-4027-ad98-27a4d17fdbcc/
SH256 hash:
e290a7a7a35cb3d897a3ab067945129e5d8755c191b0ad9ab3df7f9bf68c12b6
MD5 hash:
c4fce5f84e2f5e32bbf05d58e097fb50
SHA1 hash:
a4a8064002a410f3fb8b59ada3dcba36f43a1c6a
Link:
https://www.unpac.me/results/296a3a46-fb41-4027-ad98-27a4d17fdbcc/
SH256 hash:
4db00fd119f5ef7bece70e91aebd9cec92677400346da12636868b6e8031e744
MD5 hash:
eca523cc80c67c5cad90e4f32e63fd85
SHA1 hash:
5e49d3468f8e1b17770ed0c92ac0ff29b490e077
Link:
https://www.unpac.me/results/296a3a46-fb41-4027-ad98-27a4d17fdbcc/
SH256 hash:
4fc02de3305c8e4b4d9dbb7cc111beb3ec1a1642ddd6a9eee589ad1f5a75af05
MD5 hash:
8eb341bc940696babfcc220e961413fe
SHA1 hash:
2b9da7aefab656729c7e17355e978e5ad8b51a06
Link:
https://www.unpac.me/results/296a3a46-fb41-4027-ad98-27a4d17fdbcc/
SH256 hash:
bf81ccb4452131d4b14953bd9848937647f1259d7c8e7b9083db93de278c4b54
MD5 hash:
4025b57f8a01ba6aea3896f7825602d6
SHA1 hash:
cea9dfe2975297258f964dc1852faa1e2ae014e8
Link:
https://www.unpac.me/results/296a3a46-fb41-4027-ad98-27a4d17fdbcc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf81ccb4452131d4b14953bd9848937647f1259d7c8e7b9083db93de278c4b54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377432/

Comments