MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b
SHA3-384 hash: 5b1634cbff1f025c241c6cd8363559e62545115fb247160de7211969aa96d91d6f4f5026bd5372086740d1f6c70f7df1
SHA1 hash: bd724a33b983dc441f8b1f115d1900243c1b7755
MD5 hash: 8b78461ae5675e701bee1012494c6aae
humanhash: colorado-lion-twenty-william
File name:Install Updater.hta
Download: download sample
Signature NetSupport
Create hunting rule
File size:1'375'248 bytes
First seen:2023-09-12 22:11:13 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3072:RkpQ1CWDnNIS1Aoc2GpsWvJ6x+aUm952wog1+WoPWP9WDFdf:RkpqCWDNIfJ2GpskJnmf2woghdW3f
TLSH T1D955AA342979BC2447D7EE6336F14A950DE4466FE0303A3B1A8EE4768A762C115B12FF
Reporter monitorsg
Tags:FakeSG hta NetSupport


Avatar
monitorsg
hXXps://googlestates[.]com/pTskQ6 (Keitaro) --> hXXps://moodi-wood[.]com/wp-content/uploads/elementor/newV(105-3-2123).zip --> hXXps://moodi-wood[.]com/wp-content/uploads/astra/DancingParty.zip --> hXXps://94[.]158.245.150:443 (NetSupport)

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-94.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6500e2341a86bbaa1f8297cd/reports/a89e4490-103b-4e80-b332-5f44fb9d28e1/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1308475
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suspicious command line found
Suspicious powershell command line found
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1308475 Sample: Install_Updater.hta Startdate: 14/09/2023 Architecture: WINDOWS Score: 88 27 moodi-wood.com 2->27 31 Multi AV Scanner detection for domain / URL 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 9 mshta.exe 1 2->9         started        signatures3 process4 signatures5 39 Suspicious powershell command line found 9->39 41 Very long command line found 9->41 12 powershell.exe 12 9->12         started        process6 signatures7 43 Very long command line found 12->43 45 Suspicious command line found 12->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 12->47 15 cmd.exe 1 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 49 Suspicious powershell command line found 15->49 51 Very long command line found 15->51 20 powershell.exe 15 53 15->20         started        23 powershell.exe 15 15->23         started        25 conhost.exe 15->25         started        process10 dnsIp11 29 moodi-wood.com 172.105.218.153, 443, 49703, 49704 LINODE-APLinodeLLCUS United States 20->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 22:12:07 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kxt5ladpimy3xezftpgfzez2ks3rwxcxzkwqrksz7gyckeh2bnq._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/230912-14gvbsad47/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
NetSupport
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/faaf3eac037a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

HTML Application (hta) hta faaf3eac037a198ddc992cde62e499d2a5b8dae2be55684552cfcd812887d05b

(this sample)

  
Delivery method
Distributed via web download

Comments