MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32
SHA3-384 hash: a051435881cad83caf50c49984612ea327569a5dd85a1a6633dc4a2912460948bf6d14a535e6600804cc96c1fb7f89ea
SHA1 hash: eb365e161a46a707cef780819dcf343a2713df95
MD5 hash: 16fb6c6374739a9679c328a231cc947a
humanhash: neptune-ohio-enemy-early
File name:16fb6c6374739a9679c328a231cc947a.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'457'540 bytes
First seen:2023-09-09 21:45:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eaa732d4dae53340f9646bdd85dac41 (11 x NetSupport, 6 x RedLineStealer, 4 x ISRStealer)
ssdeep 49152:wB74H444hiQTTzfQLTmIXUrgjo5tSS9zQwr/xJ8tKO6ETgu6Ua:k74H444hj/LQL1XUr+o5tN9zQIxJ8Isi
Threatray 654 similar samples on MalwareBazaar
TLSH T1A8B512A13190E071D863DC356AADE220E6AA7D21B7B15F877F80371F29F36909F19325
TrID 73.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 36c29292b2484c82 (8 x SnakeKeylogger, 5 x AgentTesla, 4 x RemcosRAT)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
5.39.110.142:1770

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
16fb6c6374739a9679c328a231cc947a.exe
Verdict:
Malicious activity
Analysis date:
2023-09-09 21:48:47 UTC
Tags:
unwanted netsupport remote
Link:
https://app.any.run/tasks/536d9629-32d2-4c53-9814-060a70886320

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447668/
Detection(s):
Win.Trojan.Starter-287
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm cmd control cscript evasive explorer fingerprint greyware keylogger lolbin lolbin netsupport netsupportmanager overlay packed packed remote remoteadmin replace shdocvw shell32 virus wscript
Link:
https://www.filescan.io/uploads/64fce79c86964ed9c617ceee/reports/8753fd38-0df5-421e-ae59-7024eff87fc6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9f51712c-4fa3-4ead-aac8-ede68e7639a9
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1306724
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to modify clipboard data
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 16:31:02 UTC
File Type:
PE (Exe)
Extracted files:
471
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrrf6kbzagpopgxrnnmauusi5iiz4gtjieonosmondipxezfp4za._file
Verdict:
malicious
Similar samples:
233019f7f2464732ec93ec2b01b360363a9c5a387c1f392c4ed92c90aeb5505f
NetSupport
2b4021a41f886f99fa165acb89dfd992ae09b20c301686d787adc91acb823078
NetSupport
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
NetSupport
74b200a4368355d3b7de637b83187c08a4c670a90b0ab624d4eff2287424c9e6
NetSupport
93682aac34f1d48553ff05d088f225210bad9e69ea3efb75da3371d096aa2fed
NetSupport
9f5feccfcce9d5a6af03e983c7fce6a38cf40fd0cfc518a612c696c572ba2fd5
NetSupport
bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
+ 644 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230909-1mlryseb49/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Unpacked files
SH256 hash:
06fde638a126ff87544fe046bf5b6a424570f1258422736ef6260650ba87309c
MD5 hash:
e8cc447a69d1b9fa57e678cb88cce0e9
SHA1 hash:
be4aea9768f5376471932bc1c6f8e08e4a6275c7
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
SH256 hash:
bb1a8de8cdc59623a6c0dd4fae947dc78b6e305feb35e09c6c4ac13f7316746b
MD5 hash:
9a63a428bcf1be839c1fb8dc63493a73
SHA1 hash:
dfb1dee092d8632ab755bfe8850af7adf78c136d
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
SH256 hash:
341a42f515390f0136223044380682478898abbf7f85726ac4f3004ac7cbf3b3
MD5 hash:
fc11d2aedb1d7a203e04f2801375a082
SHA1 hash:
f9de1df29da8087263279b8fae0c02fb386beb84
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
SH256 hash:
4b9b4cb483b159c3bf5906f56a268d1cd9da34428bf9b7bab0d75d5e4a885186
MD5 hash:
1ea0cbdfee9fb76798d8d3cb7d91015d
SHA1 hash:
ac5b08a08f9ef4a35bf3a54a889ea1b4878a6154
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
SH256 hash:
10c11895f827a37c36f86d16b9d4599566032b707910a56621387c8dfdc35141
MD5 hash:
fb81be2dccc318a92b0357314281d1ab
SHA1 hash:
a300c27871383d3fb8a67cb0e978c4e14df5d26b
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
SH256 hash:
97fdf1636fabf7270388e80cb580d541d269c1cf2daab431da9e4b98ae78de95
MD5 hash:
763621050122d060e52cff2edcd0e6d1
SHA1 hash:
67da09e209c8d177d9bb081c2040deb4773d5dda
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
SH256 hash:
6e8a16d505bb32a473e9dd5ae74276c690df83dd34e893ab9bc095c4b4257826
MD5 hash:
8d9e2c102549ce991984545a5d941009
SHA1 hash:
5535ee903e6390b8e7fd5691e8d13841cbf6d769
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
SH256 hash:
cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32
MD5 hash:
16fb6c6374739a9679c328a231cc947a
SHA1 hash:
eb365e161a46a707cef780819dcf343a2713df95
Link:
https://www.unpac.me/results/711d654f-73b0-438f-a62a-b904eb93b791/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447668/

Comments