MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
SHA3-384 hash: 3a578909a9c1542281c45bc2884050c59bd091fc2d2b04f8cf5cf4459c4f4dcf20b48353cee8fdb4845483a081fb1e1f
SHA1 hash: 641d20b31f5b2aba11746d1e533cbe4d4ee9c6ed
MD5 hash: 47cfce938a71540a2039aebd5abe0783
humanhash: ceiling-burger-pizza-one
File name:d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'138'135 bytes
First seen:2024-12-24 16:35:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 49152:VIf96RO0EkHbG+xw6NbHHBp7k5hhelN6YawnqLKwgVRl:VIFP6wYt5ShAiYawbwW
Threatray 729 similar samples on MalwareBazaar
TLSH T1CBA52302F9C6C5B2D53308390A68AB55797DBF342F28DD6FA78D5E1ACA301917338A53
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10522/11/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:45-76-253-210 exe NetSupport


Avatar
abuse_ch
NetSupport C2:
45.76.253.210:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.76.253.210:443 https://threatfox.abuse.ch/ioc/1359486/

Intelligence

File Origin
# of uploads :
1
# of downloads :
504
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Verdict:
Malicious activity
Analysis date:
2024-12-24 16:36:26 UTC
Tags:
netsupport remote unwanted
Link:
https://app.any.run/tasks/0f764f6a-2eab-43fe-9a4a-b07366e5e490

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.DarkKomet-10027799-0
Create hunting rule

SecuriteInfo.com.LuheRARDropper.19200.30796.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676ae2f375bf3268d2fe4332
Tags:
vmdetect netsup
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Connection attempt
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm anti-vm cmd control cscript exploit explorer fingerprint fingerprint hh installer keylogger lolbin microsoft_visual_cc netsupport overlay packed packed packer_detected redcap remote remoteadmin sfx wscript
Link:
https://www.filescan.io/uploads/676ae2fee46f10e4261568c8/reports/ed8c1c1e-e811-4100-ab56-b83a5a9a0bd3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a58c807f-b10d-44b4-931f-a62a93c1e3e8
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1580475
Signature
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580475 Sample: d1c701d984c5e04b42f3cb7165f... Startdate: 24/12/2024 Architecture: WINDOWS Score: 96 38 geo.netsupportsoftware.com 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 8 d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe 17 2->8         started        11 bild.exe 2->11         started        13 bild.exe 2->13         started        15 bild.exe 2->15         started        signatures3 process4 file5 30 C:\Users\Public30etstat\remcmdstub.exe, PE32 8->30 dropped 32 C:\Users\Public32etstat\pcicapi.dll, PE32 8->32 dropped 34 C:\Users\Public34etstat\bild.exe, PE32 8->34 dropped 36 6 other files (3 malicious) 8->36 dropped 17 cmd.exe 1 8->17         started        process6 signatures7 44 Uses cmd line tools excessively to alter registry or file data 17->44 20 bild.exe 16 17->20         started        24 conhost.exe 17->24         started        26 reg.exe 1 1 17->26         started        28 reg.exe 1 1 17->28         started        process8 dnsIp9 40 45.76.253.210, 443, 49730 AS-CHOOPAUS United States 20->40 42 geo.netsupportsoftware.com 104.26.1.231, 49731, 49732, 49733 CLOUDFLARENETUS United States 20->42 54 Multi AV Scanner detection for dropped file 20->54 56 Contains functionalty to change the wallpaper 20->56 58 Delayed program exit found 20->58 60 Contains functionality to detect sleep reduction / modifications 20->60 signatures10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954/
Threat name:
Win32.Trojan.NetSupport
Create hunting rule
Status:
Malicious
First seen:
2024-12-18 15:10:53 UTC
File Type:
PE (Exe)
Extracted files:
470
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hdqdwmeyxqewqxtznywl7eja7oz6rxjdyknlavw2c3pdcbqnfka._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
NetSupport
50c263fc02412062ca239e7419880678f797408a243d0a2140bc7bbb96a716c1
NetSupport
6a8f94da45c0b3b791bbfb71b2e9a7cc6bd5dd777da0655ebc3137ad4070c72f
NetSupport
a3d6d7eea1a9270e20be65394c942207078daac5952a12a9404dd4c557fd2944
NetSupport
bf2165a4bdafb0945c8b370758e6d0b9ab145147e7ddab448a01b3b25c2ad8a7
NetSupport
error
NetSupport
+ 719 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence rat
Link:
https://tria.ge/reports/241224-t38hbsslbn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
remoteaccesstool Win.Trojan.DarkKomet-10027799-0
YARA:
n/a
Link:
https://app.threat.zone/submission/7b9e8510-f5bc-48d5-a913-2e3cc598e64a
Unpacked files
SH256 hash:
bfb797d329903946ac3d712ee35cc138f5dbf3bf0db43a60ffbba4ae5cd9cdfc
MD5 hash:
c66cef6eda8cc2822700a879dbb08306
SHA1 hash:
3c492a19a64b72b54d2095883cbdde2e772a9949
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
26dbb528c270c812423c3359fc54d13c52d459cc0e8bc9b0d192725eda34e534
MD5 hash:
325b65f171513086438952a152a747c4
SHA1 hash:
a1d1c397902ff15c4929a03d582b09b35aa70fc0
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
00f57b9910630a7049df821a39c733ca35763d9b11a58e8c0e52b06066a52643
MD5 hash:
46eacdca48274cc56965e2f11cc63d66
SHA1 hash:
305429533557823d54f1cb1766d080b7249b6d99
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
0a98e2f3da9407ac2c37377ff6583a8f462715253fa12fbacef6e0dea166a003
MD5 hash:
9c7f9a9a83c51786fe2d98597d72c24f
SHA1 hash:
ab02a3c9c178e85f41d28c0ba14ba56b42dc0d5b
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
4ae7f023eeaed7bb6eb2a59e9766a68e61a91419b0d741cfbd592ef9bc862f2a
MD5 hash:
5a28842238b9841f4886ca803c3b1e30
SHA1 hash:
9553d220bb29356d50b4b9d5b60b4606ab2b02db
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
6f08ea3ac35d8bbbf62aebf041597aacbe83b9be7267384de6c6ab5c28957c88
MD5 hash:
4df9a291c5d130c25efe16556d3c030d
SHA1 hash:
884f32422009beb05c8955c77853d3e62ab4fe7b
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
141dd89ba78fdcf56c9ebfc9062416063f14180590288f2fd1c9fe656451fb60
MD5 hash:
beb5e88e8222a516350ca7c817c8fe12
SHA1 hash:
ba77cd746065242a348147e557bb59ee068d6905
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
SH256 hash:
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
MD5 hash:
47cfce938a71540a2039aebd5abe0783
SHA1 hash:
641d20b31f5b2aba11746d1e533cbe4d4ee9c6ed
Link:
https://www.unpac.me/results/8d1cb3be-9455-490e-b8e5-49103cb53f46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments