MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5
SHA3-384 hash: 4bc2af35cdd246d3ac8f3219f5f43d2fb92f2fc9fb802ffb1dc8cdfdd9dc0c8b2a4de85c62a3e5a86bdaaa651cfb2e42
SHA1 hash: 213a458d9dce2de6db03d9b5cab72c85b9d344ab
MD5 hash: 46948156149643b41758bcfc96902b60
humanhash: mountain-oscar-september-spaghetti
File name:FB76386CE3F17A25D59046A70CC05898BCCCC7422AB92.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'131'912 bytes
First seen:2022-11-22 22:45:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 49152:nK0UUBobGFe4EzcquA2rHAHq/laKPZrF5MJjrntP4G:nK0UUBoiFezzcquA2rH9laKxrFgjbtQG
Threatray 495 similar samples on MalwareBazaar
TLSH T18FA523B275C98031E4732530A5BCD7A6BE3AB5306B767A0FBB844E1D7F30A819725352
TrID 76.2% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
8.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 9084c2d1643ccef2 (2 x NetSupport)
Reporter abuse_ch
Tags:exe NetSupport signed

Code Signing Certificate

Organisation:DAMOKLES SECURITY INNOVATIONS LTD.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-24T16:45:19Z
Valid to:2023-03-04T21:45:06Z
Serial number: 5b98e466d6e65c422f7990e8
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a45ba21de64b1e2a1b02caf9934f5d20def1031cc57f5099e3fd54ce3fa2269b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
NetSupport C2:
206.188.196.23:3961

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
FB76386CE3F17A25D59046A70CC05898BCCCC7422AB92.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 22:48:16 UTC
Tags:
unwanted netsupport
Link:
https://app.any.run/tasks/6bb0e1cc-3c28-41fd-ada9-046930147a48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetSupport
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337373/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637d512b090ea3f049346b5e/reports/8ef78a19-79f1-4f4d-bfcf-967674d0b0d9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2390b0b-af73-4d8c-9a54-7a64ef5e880a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1119303
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-10-19 14:13:15 UTC
File Type:
PE (Exe)
Extracted files:
460
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7n3dq3hd6f5clvmqi2tqzqcytc6mzr2cfk4snalxoby6i3mjipsq._file
Verdict:
unknown
Similar samples:
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
NetSupport
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
NetSupport
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
NetSupport
b64c57f3f83e58764714885b3a0e16a543cfff24ae800ff5dd2540f92b4d46f4
NetSupport
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
NetSupport
c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
dc3b1cd6cc70e681b959bf718ba3a91ac4d5f6c0dfe49fa6ef0f6a7092a5690d
NetSupport
+ 485 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport rat
Link:
https://tria.ge/reports/221122-2pypzabf57/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetSupport
Unpacked files
SH256 hash:
c58c23e9a033b3e51ef3f0532d2a059c548f6a4dcbf784d1becf4473aab3de31
MD5 hash:
fd29a16b9d7b830d29b0b98a44e533c0
SHA1 hash:
e98abe8cd7711cb3687cf42c44a81150d2eed75b
Link:
https://www.unpac.me/results/75c6a670-ae0c-44ac-a3d9-a402c7286c1d/
SH256 hash:
7c2187a3c29299acce8a7cdda35a231318388e888df1ab3d57667f578e3d8abf
MD5 hash:
3f5e4122f092ef6fd0f218f6fb03fd31
SHA1 hash:
6c9fffb0589a376f45b41fb043f40b1314082f85
Link:
https://www.unpac.me/results/75c6a670-ae0c-44ac-a3d9-a402c7286c1d/
SH256 hash:
1376c3a5d81459ccd90329c129d322c411591a4126a94e9c00a965988cc16857
MD5 hash:
829037a39d86086b3042a1134749b390
SHA1 hash:
40b73263d85b1d3c5bd5136ec2bbef06de7dd5c9
Link:
https://www.unpac.me/results/75c6a670-ae0c-44ac-a3d9-a402c7286c1d/
SH256 hash:
8ab11b23da0db34853a2edaf344b25462c2a959437d20ddf425771e09c0dbbb7
MD5 hash:
3a62f649d42251f0472ef177cce25db3
SHA1 hash:
32561e7cace67a25f85ee2126d26b231915af3a5
Link:
https://www.unpac.me/results/75c6a670-ae0c-44ac-a3d9-a402c7286c1d/
SH256 hash:
cd854235e3c66d364df35b56177d77cfe75d5cb7808128dec7df5bffface7bd6
MD5 hash:
32b1f290fcf6b8c0d3acc3b221fbbb6f
SHA1 hash:
04da07a7d400b4a1d9396a213bf29d6a2a1a9e5c
Link:
https://www.unpac.me/results/75c6a670-ae0c-44ac-a3d9-a402c7286c1d/
SH256 hash:
01956b7c1fdef594bd0c88b31ba29f6d6602102f0eb88ed47496635528a3a5e9
MD5 hash:
cb65b10a910af360104272ae1d17bdad
SHA1 hash:
0a46e13839942d89255b75ddcf2ffbd187831dbb
Link:
https://www.unpac.me/results/75c6a670-ae0c-44ac-a3d9-a402c7286c1d/
SH256 hash:
fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5
MD5 hash:
46948156149643b41758bcfc96902b60
SHA1 hash:
213a458d9dce2de6db03d9b5cab72c85b9d344ab
Link:
https://www.unpac.me/results/75c6a670-ae0c-44ac-a3d9-a402c7286c1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337373/

Comments