MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
SHA3-384 hash: 6a251c213c38f772be03e7ef48a169de480c5c789a6bc0d4422bec0c2d7c4b8265f6b02920d62dca094471b805a6b24b
SHA1 hash: 199aaae35b97c836a2e73835853838d4bf40d42f
MD5 hash: 33ecb54db4fbd30d06c5af6ac5b6237b
humanhash: music-kilo-oven-gee
File name:file
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'367'008 bytes
First seen:2022-11-02 13:03:23 UTC
Last seen:2022-11-02 15:48:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (32 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 49152:/KJ2O6yQ6JBZ9fgNQTVT4JoTipCmd3P4A:/KJtHQ6JC+14JS+d3QA
Threatray 484 similar samples on MalwareBazaar
TLSH T1D8B578613845F822D7BA82B8DC997AF0745DDC20DD217AC75AEC3E9639BE759C20B301
TrID 76.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 9e16168f0f0e9696 (1 x NetSupport)
Reporter andretavare5
Tags:exe NetSupport


Avatar
andretavare5
Sample downloaded from https://vk.com/doc759438714_648791961?hash=oc1XFVbTcfNTqqjeds5UZXO8dlIvGEFZhG7svA4k4cH&dl=G42TSNBTHA3TCNA:1667393798:KbEEVhLHZ7dIX3FxQA4Cqh0Y1NcSuN8KGqi8olAoYzL&api=1&no_preview=1#sh31_1

Intelligence

File Origin
# of uploads :
59
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-02 13:04:00 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/e1827f06-cedb-446a-b0f3-1de0c8089ed8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetSupport
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327160/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a custom TCP request
Launching a process
Launching a service
Forced system process termination
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47429/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed remoteadmin shell32.dll virus
Link:
https://www.filescan.io/uploads/63626ac4ce1f43143c2a736e/reports/295e25c6-3e6f-484f-bf09-b740817316ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b2703f7-e882-46f2-913b-5539fb3f6b5e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1103648
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 02:26:04 UTC
File Type:
PE (Exe)
Extracted files:
461
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mab4xxnepucxrf53fxzlvw3e3ucbgqipjvat2sugq2gwpl6pbla._file
Verdict:
unknown
Similar samples:
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
NetSupport
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
NetSupport
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
NetSupport
b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4
NetSupport
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
NetSupport
c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
NetSupport
dc3b1cd6cc70e681b959bf718ba3a91ac4d5f6c0dfe49fa6ef0f6a7092a5690d
NetSupport
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
NetSupport
+ 474 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/221102-qax94sbfal/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9bb76181-85ea-49ca-b4be-6c35b1b808af
Unpacked files
SH256 hash:
c58c23e9a033b3e51ef3f0532d2a059c548f6a4dcbf784d1becf4473aab3de31
MD5 hash:
fd29a16b9d7b830d29b0b98a44e533c0
SHA1 hash:
e98abe8cd7711cb3687cf42c44a81150d2eed75b
Link:
https://www.unpac.me/results/93e997c5-2a8c-4953-ac45-a22737a848ba/
SH256 hash:
0dc782106b74f212c97e205496e9cd1989339077ab00469ef0f640f183f82f95
MD5 hash:
d96519a7e18b7a22d1bda8636c53b6c1
SHA1 hash:
e75f1c1df1cb85c40f363185db134079116ce6b7
Link:
https://www.unpac.me/results/93e997c5-2a8c-4953-ac45-a22737a848ba/
SH256 hash:
343439a0483e918660683724e3e8eed437528b6f51c9810df6c3b3665d18ba0c
MD5 hash:
d69fdf20772d3f1d93dbf66b0bb940f8
SHA1 hash:
c65980a328781f412e1f2ffc8b11783c2cf7dbc6
Link:
https://www.unpac.me/results/93e997c5-2a8c-4953-ac45-a22737a848ba/
SH256 hash:
0fa4f7aa6468a0788c58b5cd475642d2065b56ea19ae56426a326b88757c19ba
MD5 hash:
23a6eb70922d7e13c734aed61d516de3
SHA1 hash:
82d290e7c41581623c32ce29098b9b5d6e47f78d
Link:
https://www.unpac.me/results/93e997c5-2a8c-4953-ac45-a22737a848ba/
SH256 hash:
5312459a8c8015d41059759e53cb0e66e51ca17f79f0ca50c9c3f792e8368db8
MD5 hash:
294150cffba9353066b5396eba1d3485
SHA1 hash:
6c7c91ed6cfb9501b6bb0209300e4278730c36c0
Link:
https://www.unpac.me/results/93e997c5-2a8c-4953-ac45-a22737a848ba/
SH256 hash:
305e072bae1dc679c16d6fadbf31357dca30c1f5469db04dcee63eef8da92d1b
MD5 hash:
8f47db813511ec77c17b80dc94d2355b
SHA1 hash:
065c9eb72a6eeedf0e00ccafc72c07b79f907933
Link:
https://www.unpac.me/results/93e997c5-2a8c-4953-ac45-a22737a848ba/
SH256 hash:
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
MD5 hash:
33ecb54db4fbd30d06c5af6ac5b6237b
SHA1 hash:
199aaae35b97c836a2e73835853838d4bf40d42f
Link:
https://www.unpac.me/results/93e997c5-2a8c-4953-ac45-a22737a848ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/327160/

Comments