MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc
SHA3-384 hash: a7b6883f80c775973a1e0bddb7cc0eccabc9011f9197035da6da830bc4ab44364b9f3d6e55f803c9a5883006cf5449ef
SHA1 hash: e14b5c3a761b848a0577f95f5567819254f2d342
MD5 hash: da13113783a8674c92a94573a164ab9e
humanhash: low-florida-king-spaghetti
File name:DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'172'388 bytes
First seen:2021-09-06 12:45:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 49152:h+/pCDxgkOiRQyX8g8cSvNo5MJpvFNjrT8wplb6rXrI:h+/1hiR9sVcSyypzvT8wp9+I
Threatray 33 similar samples on MalwareBazaar
TLSH T1E5A533A773C6087BE04311320FBA6755E6B5BDB46C3DAC0EE3900E79FB695920A25353
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
5.45.83.127:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.45.83.127:1203 https://threatfox.abuse.ch/ioc/216209/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exe
Verdict:
Malicious activity
Analysis date:
2021-09-06 12:46:13 UTC
Tags:
installer
Link:
https://app.any.run/tasks/cf6365b0-801a-4d16-ab92-5059f4d6f36b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185671/
Detection(s):
Win.Dropper.Formbook-9783426-0
Create hunting rule

SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
DNS request
Connection attempt
Sending an HTTP GET request to an infection source
Sending a UDP request
Creating a file
Delayed reading of the file
Connection attempt to an infection source
Query of malicious DNS domain
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8049fb39-2082-499d-b938-b3bfd6e30a87
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/846000
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478432 Sample: DF7049B8C4D704376BE3920232B... Startdate: 06/09/2021 Architecture: WINDOWS Score: 48 90 98.126.176.51 VPLSNETUS United States 2->90 92 172.67.130.202 CLOUDFLARENETUS United States 2->92 104 Multi AV Scanner detection for dropped file 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 Machine Learning detection for sample 2->108 110 3 other signatures 2->110 10 DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exe 8 2->10         started        13 msiexec.exe 3 2->13         started        16 msiexec.exe 2->16         started        19 19 other processes 2->19 signatures3 process4 dnsIp5 62 C:\Users\user\Desktop\run-setup.exe, PE32 10->62 dropped 21 run-setup.exe 15 10->21         started        64 C:\Users\user\AppData\Local\...\shi9701.tmp, PE32 13->64 dropped 66 C:\Users\user\AppData\Local\...\shi9674.tmp, PE32 13->66 dropped 118 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->118 120 Opens network shares 13->120 80 pstbbk.com 157.230.96.32, 49714, 80 DIGITALOCEAN-ASNUS United States 16->80 82 collect.installeranalytics.com 3.209.18.1, 443, 49715, 49716 AMAZON-AESUS United States 16->82 68 C:\Users\user\AppData\Local\...\shiA440.tmp, PE32 16->68 dropped 70 C:\Users\user\AppData\Local\...\shiA3E1.tmp, PE32 16->70 dropped 26 taskkill.exe 16->26         started        84 209.97.136.169, 21063, 49758 DIGITALOCEAN-ASNUS United States 19->84 86 110.t.keepitpumpin.io 163.172.204.15, 49727, 8080 OnlineSASFR United Kingdom 19->86 88 30 other IPs or domains 19->88 122 Changes security center settings (notifications, updates, antivirus, firewall) 19->122 28 conhost.exe 19->28         started        30 conhost.exe 19->30         started        32 conhost.exe 19->32         started        34 3 other processes 19->34 file6 signatures7 process8 dnsIp9 98 46.21.100.248, 49706, 80 PORTLANEwwwportlanecomSE Sweden 21->98 100 pe-ma3i.info 35.205.61.67, 49704, 49705, 80 GOOGLEUS United States 21->100 102 4 other IPs or domains 21->102 58 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 21->58 dropped 60 C:\Users\user\AppData\Local\...60SISdl.dll, PE32 21->60 dropped 114 Antivirus detection for dropped file 21->114 116 Machine Learning detection for dropped file 21->116 36 setup.exe 37 21->36         started        41 conhost.exe 26->41         started        file10 signatures11 process12 dnsIp13 94 findmemolite.com 46.101.214.246, 49711, 80 DIGITALOCEAN-ASNUS Netherlands 36->94 96 143.204.101.75 AMAZON-02US United States 36->96 50 C:\Users\user\AppData\...\installer[1].exe, PE32 36->50 dropped 52 C:\Users\user\AppData\Local\...\setup_1.exe, PE32 36->52 dropped 54 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 36->54 dropped 56 4 other files (none is malicious) 36->56 dropped 112 Antivirus detection for dropped file 36->112 43 setup_0.exe 66 36->43         started        46 setup_1.exe 36->46         started        file14 signatures15 process16 file17 72 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 43->72 dropped 74 C:\Users\user\AppData\...\Windows Updater.exe, PE32 43->74 dropped 76 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 43->76 dropped 78 4 other files (none is malicious) 43->78 dropped 48 msiexec.exe 43->48         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc/
Threat name:
Win32.PUA.InstallMonster
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 23:57:00 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=35yetoge24cdo27dsibdfmn2nmwiz4x7b6ophpzc63mjyhevcxoa._file
Verdict:
malicious
Similar samples:
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
NetSupport
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
NetSupport
62cf8452627f42cc0f5655a12ef386c720e11f2fd2ad7ec64ea821184ffacc65
NetSupport
6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad
NetSupport
7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
NetSupport
80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42
NetSupport
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
NetSupport
e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
NetSupport
e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c
NetSupport
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210906-pzmz1aecdn/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
MD5 hash:
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 hash:
168f3c158913b0367bf79fa413357fbe97018191
Link:
https://www.unpac.me/results/3e1d60e2-6bce-4f66-b8d4-5f19fd82c752/
SH256 hash:
dc66a4d772fed3095102dec6a176354b3ab1bf0906ad375b42f20ddb87477664
MD5 hash:
53aaa9655c511da5ad0c77eae15515da
SHA1 hash:
addb5ead10a69fe1eb13841bb87bf2fd2a82b64c
Link:
https://www.unpac.me/results/3e1d60e2-6bce-4f66-b8d4-5f19fd82c752/
SH256 hash:
df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc
MD5 hash:
da13113783a8674c92a94573a164ab9e
SHA1 hash:
e14b5c3a761b848a0577f95f5567819254f2d342
Link:
https://www.unpac.me/results/3e1d60e2-6bce-4f66-b8d4-5f19fd82c752/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df7049b8c4d704376be3920232b1ba6b2c8cf2ff0f9cf3bf22f6d89c1c9515dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185671/

Comments