MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c
SHA3-384 hash: 2802c92a9a8ce11483eac373da814faa071b328d231eff2fc043f6e8ed49956ae7cec028904e95c92839353a635ff25f
SHA1 hash: f7f02feceaf4f50b1d2899bb3623c1095f72eb98
MD5 hash: 173c2d3b9408ce05c460e6d8c6ca2c75
humanhash: nitrogen-charlie-kentucky-october
File name:173C2D3B9408CE05C460E6D8C6CA2C75.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:44'778 bytes
First seen:2021-08-09 20:15:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 768:KHJd0TpH2+bQ2dUWVX9Hfv1JMWmtLEJOyuBxG0D3mjfS3XJbCuMiVkqIzq2ba0L5:KpgpHzb9dZVX9fHMvG0D3XJbCunkqIzp
Threatray 16 similar samples on MalwareBazaar
TLSH T1E013BF5BB5C189FBD5D2023116B7E73EF77AC2C843510A174BA82F7A3E21593CD1A291
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe NetSupport


Avatar
abuse_ch
NetSupport C2:
94.103.93.23:132

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.103.93.23:132 https://threatfox.abuse.ch/ioc/166286/

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177759/
Detection(s):
SecuriteInfo.com.PUA.DomaIQ.24569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Sending an HTTP GET request to an infection source
Creating a file
Delayed reading of the file
Creating a process from a recently created file
Creating a window
Connection attempt to an infection source
Query of malicious DNS domain
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8679e291-2fda-4c5d-be9c-fc3b22b28921
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
44 / 100
Link:
https://www.joesandbox.com/analysis/829657
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462084 Sample: WP6TzYzWmG.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 44 87 vpn.maskvpn.org 2->87 89 user.maskvpn.org 2->89 117 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->117 119 Multi AV Scanner detection for submitted file 2->119 121 May check the online IP address of the machine 2->121 123 3 other signatures 2->123 9 WP6TzYzWmG.exe 14 2->9         started        13 msiexec.exe 3 2->13         started        16 msiexec.exe 4 60 2->16         started        18 19 other processes 2->18 signatures3 process4 dnsIp5 99 46.21.100.248, 49718, 80 PORTLANEwwwportlanecomSE Sweden 9->99 101 pe-ma3i.info 35.205.61.67, 49714, 80 GOOGLEUS United States 9->101 107 2 other IPs or domains 9->107 67 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 9->67 dropped 69 C:\Users\user\AppData\Local\...69SISdl.dll, PE32 9->69 dropped 20 setup.exe 42 9->20         started        71 C:\Users\user\AppData\Local\Temp\shi872.tmp, PE32 13->71 dropped 73 C:\Users\user\AppData\Local\Temp\shi7A6.tmp, PE32 13->73 dropped 129 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->129 131 Opens network shares 13->131 109 2 other IPs or domains 16->109 75 C:\Users\user\AppData\Local\...\shi142A.tmp, PE32 16->75 dropped 77 C:\Users\user\AppData\Local\...\shi13BC.tmp, PE32 16->77 dropped 24 taskkill.exe 1 16->24         started        103 detailskip.taobao.com.danuoyi.tbcache.com 47.246.43.231, 443, 49767, 49796 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 18->103 105 47.246.43.251 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 18->105 111 33 other IPs or domains 18->111 133 Changes security center settings (notifications, updates, antivirus, firewall) 18->133 26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 3 other processes 18->32 file6 signatures7 process8 dnsIp9 91 www.tikto.pw 109.232.226.206 GLOBALLAYERNL Netherlands 20->91 93 findmemolite.com 46.101.214.246, 49726, 80 DIGITALOCEAN-ASNUS Netherlands 20->93 95 3 other IPs or domains 20->95 59 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 20->59 dropped 61 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 20->61 dropped 63 C:\Users\user\AppData\Local\...\setup_1.exe, PE32 20->63 dropped 65 8 other files (none is malicious) 20->65 dropped 34 setup_1.exe 20->34         started        37 setup_0.exe 66 20->37         started        40 conhost.exe 24->40         started        file10 process11 dnsIp12 49 C:\Users\user\AppData\Local\...\setup_1.tmp, PE32 34->49 dropped 42 setup_1.tmp 34->42         started        97 collect.installeranalytics.com 37->97 51 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 37->51 dropped 53 C:\Users\user\AppData\...\Windows Updater.exe, PE32 37->53 dropped 55 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 37->55 dropped 57 4 other files (none is malicious) 37->57 dropped 47 msiexec.exe 37->47         started        file13 process14 dnsIp15 113 user.maskvpn.org 98.126.176.51 VPLSNETUS United States 42->113 115 mybrowserinfo.com 172.67.134.114 CLOUDFLARENETUS United States 42->115 79 C:\Users\user\AppData\...\libMaskVPN.dll, PE32 42->79 dropped 81 C:\Users\user\AppData\Local\...\botva2.dll, PE32 42->81 dropped 83 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->83 dropped 85 43 other files (none is malicious) 42->85 dropped 125 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->125 127 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 42->127 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c/
Threat name:
Win32.PUA.InstallMonster
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 04:13:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zchnbvlndw6dj5zfxojrn7jbthwjveio2wojoi4yrpkeq34yz6a._file
Verdict:
unknown
Similar samples:
0240347f0a7e6318facda5d29103c2dba44ef0d45f76706cd5ade058a69c0c55
NetSupport
0705af99615fdc12025b5449cb80591559a3f7a31037cd85dcc64ed0f7224fdc
NetSupport
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
NetSupport
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
NetSupport
6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad
NetSupport
7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
NetSupport
80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42
NetSupport
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
NetSupport
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
NetSupport
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210809-flyt172t2j/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
MD5 hash:
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 hash:
168f3c158913b0367bf79fa413357fbe97018191
Link:
https://www.unpac.me/results/e278393a-0dc3-4731-bdc4-9c8176e47f4a/
SH256 hash:
e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c
MD5 hash:
173c2d3b9408ce05c460e6d8c6ca2c75
SHA1 hash:
f7f02feceaf4f50b1d2899bb3623c1095f72eb98
Link:
https://www.unpac.me/results/e278393a-0dc3-4731-bdc4-9c8176e47f4a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e6447686ab68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6447686ab68ede1a7b92ddc98b7e90ccf64d48876ace4b91cc45ea2437cc67c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177759/

Comments