MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3dfec759e0e2c8c5b9c57ae941ec7e0fe902bb5eb3ac9c44b47296bbc66f8af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3dfec759e0e2c8c5b9c57ae941ec7e0fe902bb5eb3ac9c44b47296bbc66f8af
SHA3-384 hash: 00fb7bf459522c185368cff2aa3cdf7f8c620c0328744912b72e79fe75eeb19b2d9264957eaac78c9729848fd69e034c
SHA1 hash: d8f988c5a6a3b9957c53bce3f5a0fe1c8fc618e1
MD5 hash: 4cc1911165a8f68dd066502c3fb6fe9a
humanhash: quebec-moon-connecticut-seventeen
File name:4cc1911165a8f68dd066502c3fb6fe9a.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'670'933 bytes
First seen:2023-03-16 16:20:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 49152:jsOTd0VUXdCBTQsmARXBvK4DMitfle7+xaFWg067EcSUCFfw0:EGYnXZK44ilYFWg0HcSdFY0
Threatray 197 similar samples on MalwareBazaar
TLSH T131C5BC1C1757CC15DA069E32E86A44F4D9B84C2EFA3E099396A13F2A37728832DD1D3D
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 8e968e0e9e8e9696 (1 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
45.11.180.120:4421

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
https://simbafoamltd.com/img/Supporting_Documents_Required_details-pdf.rar
Verdict:
Malicious activity
Analysis date:
2023-03-14 10:49:31 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/eafce356-a929-4767-a249-4ee6a79e4e57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374847/
Detection(s):
SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73408/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm cmd.exe control.exe cscript.exe evasive explorer.exe fingerprint greyware hacktool keylogger overlay packed packed shdocvw.dll shell32.dll wscript.exe
Link:
https://www.filescan.io/uploads/641341ef3b01ade53e6ebb4a/reports/a6b85bf7-f5dc-4525-97a2-36a2e3fc20f9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/c3dfec759e0e2c8c5b9c57ae941ec7e0fe902bb5eb3ac9c44b47296bbc66f8af
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef76ac8e-c40c-4491-b61f-c31bf5134566
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1195140
Signature
Found potential ransomware demand text
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3dfec759e0e2c8c5b9c57ae941ec7e0fe902bb5eb3ac9c44b47296bbc66f8af/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 07:20:47 UTC
File Type:
PE (Exe)
Extracted files:
461
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypp6y5m6bywiyw44k6xjihwh4d7jak5v5m5mtrcli4uwxpdg7cxq._file
Verdict:
malicious
Similar samples:
642c17be83f9e9f693990f43a65be25e99e69b245d38da627a3e19e0eb87d79d
NetSupport
6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da
NetSupport
6c4cb90c67cb1cbf30cf97de18680233997927d2a90df9544f2f0cc3ff81cd9b
NetSupport
7cfe6b3d43caf0e6d990caf7b778d9c68e8e95f9ea6a44f9fefb46be5476c083
NetSupport
8c2d06fd9757d3819f61d6892b4cd55657a4ae58dd585f343ea752646cbbe511
NetSupport
8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c
NetSupport
a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7
NetSupport
b505047dae115dec42d3ffc392065c10d06e19f748a02d38c51a715e156f7591
NetSupport
+ 187 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230316-ttqwxsbg57/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
af99e87c40c38a14df0dafe5d32f5a38d68ec973f6dc2fd088e8514c05c93f10
MD5 hash:
f017babfd5c9203f40adf3b4f3c7c59d
SHA1 hash:
3ae035d8f0b743ae159cba7453ae9e2aad56fb9b
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
SH256 hash:
43e6f52038b9b63cd0ccbb945db2ce3ca67bf7ce7d36abe2da7dcf0a375a94ce
MD5 hash:
ccedb2aafd4e8ea94b245701e3161e24
SHA1 hash:
e5b74776fdbaca093371304484ea25425ed2fd39
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
SH256 hash:
ec4f38fea10c621d9124475ed8ebedaf10df734f77b27ef1da75b2b025e0b687
MD5 hash:
5ed9a0bf5bce678172ab73cb826a6bdf
SHA1 hash:
c9bb309eefd330c7c0f38845e318bba99f0a79d5
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
SH256 hash:
08525fffa700a63c7130ef622f7ac6d671f7478cf54af7f84f94674d90ce6099
MD5 hash:
ca467e32892ac679d994e96e291776dd
SHA1 hash:
b63b5dca21546c7c76a550c8723237b97e25598a
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
SH256 hash:
969b7a3363dd116ad97527cca7eb4e91f6cf924cc1bcf462becd1a020cf8f0de
MD5 hash:
55165376f01d1f900f8f06a92014f020
SHA1 hash:
7fe3d5760cd5a5b17c26b683c48044d23437c33d
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
SH256 hash:
fa992e2a3aaa2045665a9211bd948fbfc98cf1b3380e7faa1d381b69f9b64d82
MD5 hash:
e3930a73b9f31a228fc1b5f1f7479ffa
SHA1 hash:
2322f2a3ee705d20130eeed350eb4dfcaf650377
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
SH256 hash:
50d536372d29c4940a9d5a6e5cdf3f1cf445a3e5797195c43585bd9a411ceadf
MD5 hash:
54b2d934be283f4b2f4db27393df2459
SHA1 hash:
08a4b93d7caa511824b447f805036bc00cfd6986
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
SH256 hash:
c3dfec759e0e2c8c5b9c57ae941ec7e0fe902bb5eb3ac9c44b47296bbc66f8af
MD5 hash:
4cc1911165a8f68dd066502c3fb6fe9a
SHA1 hash:
d8f988c5a6a3b9957c53bce3f5a0fe1c8fc618e1
Link:
https://www.unpac.me/results/c3251473-fbd4-4d19-ae44-1bf67211aafe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3dfec759e0e2c8c5b9c57ae941ec7e0fe902bb5eb3ac9c44b47296bbc66f8af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374847/

Comments