MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
SHA3-384 hash: 2f3e7f3bb2e49b818381ca0414228ec10ca51ea22a60885424fb5714ddee5c3542dd6a822c4a2a221329c4013fe4204e
SHA1 hash: 30e4b73284f682182377ec32b998fb92b6f6d08e
MD5 hash: 2f0bcc1ba89659a866d3ebb5cd752552
humanhash: leopard-salami-angel-ink
File name:indicative_exchange_rates_dtd_26_09_2022_pdf.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'744'140 bytes
First seen:2022-09-26 06:19:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 49152:vKglPE5f5Wv3lDSpPGUOVed3I8tgb2PsMXUBaD7fELSv7Mt4dIP1KZTK:vKgJE5hSQied39t3PrXUmr3zM/9KO
TLSH T197C5EF903A93C021C39ED7F0D975E9FD679E6CA1C123758BE68EBD843A30961F265702
TrID 76.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 16330f96170f9696 (1 x NetSupport)
Reporter JAMESWT_WT
Tags:Bretvenyzer19-com exe NetSupport

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.213.50.40:3412 https://threatfox.abuse.ch/ioc/851734/

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
https://onedrive.live.com/download?cid=4308726FBB81A16E&resid=4308726FBB81A16E%21105&authkey=ADFEP-H0i9DZvTM
Verdict:
Malicious activity
Analysis date:
2022-09-26 06:16:28 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/5f18ffc8-a8f0-4e1d-84bb-4a267e72ac7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313425/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39155/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/633144d273bbffe3a78bb113/reports/b29ebddf-2b23-40c9-85d6-cd9e7dbf3599/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f94d382-fb8c-4c3c-9942-db988c085b7a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1077180
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 02:45:30 UTC
File Type:
PE (Exe)
Extracted files:
469
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yscb5g3uk3txq4xuvre5ndcu2jw7nfwobeedh5cetlt36ucx5mhq._file
Verdict:
unknown
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/220926-g3rhlahga3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0a7371b2-8afc-4882-a46e-cb8d5790463a
Unpacked files
SH256 hash:
9d18df025753b815c98d2686a33853f65647ad8a520e448d940dddb3801ecfb8
MD5 hash:
bcf7ccea10249f1dff0e1d4105c602fd
SHA1 hash:
8d7e204d55427367b9507b3f8932f2fed0caeb0b
Link:
https://www.unpac.me/results/ab6bc68e-5843-47f1-9d20-0956632b8ea1/
SH256 hash:
41ce52961342ef4da53293852ff6ea3dddb2f9439f05c0673aca17dddb7c203d
MD5 hash:
12026776fa88ddf87603e0c444bc3764
SHA1 hash:
d53376287a2a807378f57a02660eaefc51bd2129
Link:
https://www.unpac.me/results/ab6bc68e-5843-47f1-9d20-0956632b8ea1/
SH256 hash:
b3bb5cfe2dc0d050bc07e3c4cea762ce61d148c4dcfb5eccdab1ce5993f0c288
MD5 hash:
0a3a0b87e0aad81a8e78f6521da75e8c
SHA1 hash:
b4b3b45817c39c5b7ab9a56488c854c5abe2c323
Link:
https://www.unpac.me/results/ab6bc68e-5843-47f1-9d20-0956632b8ea1/
SH256 hash:
162ff33ec9ee3eedf0b5e03de7f24d60ada6da499e5666fdd246261c211fbe6c
MD5 hash:
514a71caf602cc5ac98c9d178034d636
SHA1 hash:
a81a1b96259edac71c92899bef317e40c58f2381
Link:
https://www.unpac.me/results/ab6bc68e-5843-47f1-9d20-0956632b8ea1/
SH256 hash:
5312459a8c8015d41059759e53cb0e66e51ca17f79f0ca50c9c3f792e8368db8
MD5 hash:
294150cffba9353066b5396eba1d3485
SHA1 hash:
6c7c91ed6cfb9501b6bb0209300e4278730c36c0
Link:
https://www.unpac.me/results/ab6bc68e-5843-47f1-9d20-0956632b8ea1/
SH256 hash:
e60c38860a8460f3ba28ef88dc0ad345daf784d84269bdf35c806c1aeebe40e3
MD5 hash:
5c8bdbe31cfa672c36faeb1054e9eb77
SHA1 hash:
287eab6d971df6fd850257f957c1894af89a09e6
Link:
https://www.unpac.me/results/ab6bc68e-5843-47f1-9d20-0956632b8ea1/
SH256 hash:
c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
MD5 hash:
2f0bcc1ba89659a866d3ebb5cd752552
SHA1 hash:
30e4b73284f682182377ec32b998fb92b6f6d08e
Link:
https://www.unpac.me/results/ab6bc68e-5843-47f1-9d20-0956632b8ea1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313425/

Comments