MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590
SHA3-384 hash: 7c6e16c8bc8c79219c1031a66176450ac95e987d7947bd40c6179172f7fc6057ab7166f7afa06ac36953ce7fe0fd9f29
SHA1 hash: 663cc7f9bc49ee3c4484382b430c5845a94325dd
MD5 hash: a2f1f2e639e44914bc725fc63ea967fb
humanhash: romeo-cup-echo-fillet
File name:Payment_257.zip
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'620'961 bytes
First seen:2025-01-20 13:30:40 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:swwlr4BBEUxd1hIUdjVfgl9ARRbV10DUqDYxZgtFFSL7JVZvxynX9shph0AR4t3u:JwlrUX12UdRolwVV10Qj/dVZ54NsCD+
TLSH T1F17533C6AC92715C44ECF4FDE117E393BCE26E526D2AEDB026832EEDFF85814A425144
Magika zip
Reporter JAMESWT_WT
Tags:147-45-44-200 147-45-44-255 NetSupport zip

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.45.44.255:443 https://threatfox.abuse.ch/ioc/1388925/

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
IT IT
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Payment_257.js
File size:4'381'231 bytes
SHA256 hash: b5b1733f269437803c845cf7344f60657bb64456c06e5cf63c22ee55249844bd
MD5 hash: 453a136d40114350fd14c719fd6f5e2c
MIME type:text/plain
Signature NetSupport
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.10776.22137.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678e5390b5602ee8cdad9de4
Tags:
applicunwnt vmdetect blic hype
Result
Verdict:
Malicious
File Type:
JS File - Malicious
Link:
https://app.docguard.net/c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590
Details
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-01-20 11:13:11 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhe3262gnou7naxjishdy6dnu3q3gjbtdj5zzaiqipxqixzwawia._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery execution persistence rat
Link:
https://tria.ge/reports/250120-r9v5gavkgy/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Adds Run key to start application
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
NetSupport
Netsupport family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

zip c1c9bd7b466ba9f682e9448e3c786da6e1b324331a7b9c811043ef045f360590

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3406990/
  
Delivery method
Distributed via web download

Comments