analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

eb3b4267.exe

Full analysis: https://app.any.run/tasks/672a7c7f-78b0-4684-a0e4-6dfb312476d5
Verdict: Malicious activity
Analysis date: May 29, 2020, 22:31:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netsupport
unwanted
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FE5B9802204418AA5238C4D2A16D799C

SHA1:

EAF47425D900150CEB5F0E88E5E7D08E4634BB20

SHA256:

0F170F04C03A6AEB1B60FC29B053FCC981DE9229F0AA60DDF7988D3BB3167C23

SSDEEP:

49152:/RmS6Vx3F1rSdZ/ufvr7TE22qqpE+OVbbI3TyqxNoJ4vhxPXSn:/RTy3PWd9ufD+B07rJYLE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • eb3b4267.exe (PID: 3100)

    • Loads dropped or rewritten executable

      • client32.exe (PID: 3032)

    • Application was dropped or rewritten from another process

      • client32.exe (PID: 3032)

    • Connects to CnC server

      • client32.exe (PID: 3032)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • client32.exe (PID: 3032)

    • Creates files in the user directory

      • eb3b4267.exe (PID: 3100)

    • Executable content was dropped or overwritten

      • eb3b4267.exe (PID: 3100)

    • Connects to server without host name

      • client32.exe (PID: 3032)

  • INFO

    • Drop NetSupport executable file

      • eb3b4267.exe (PID: 3100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:26 11:02:47+01:00
PEType: PE32
LinkerVersion: 14
CodeSize: 198144
InitializedDataSize: 126976
UninitializedDataSize: -
EntryPoint: 0x1e1f9
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Mar-2020 10:02:47
Detected languages:
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 26-Mar-2020 10:02:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00030581
0x00030600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70021
.rdata
0x00032000
0x0000A332
0x0000A400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.23888
.data
0x0003D000
0x000238B0
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.83994
.gfids
0x00061000
0x000000E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.12166
.rsrc
0x00062000
0x0001157C
0x00011600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.35509
.reloc
0x00074000
0x0000210C
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.61039

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
5.65109
9640
Latin 1 / Western European
Process Default Language
RT_ICON
3
5.42653
4264
Latin 1 / Western European
Process Default Language
RT_ICON
4
5.63317
2440
Latin 1 / Western European
Process Default Language
RT_ICON
5
4.66705
1128
Latin 1 / Western European
Process Default Language
RT_ICON
7
3.66634
508
Latin 1 / Western European
UNKNOWN
RT_STRING
8
3.71728
582
Latin 1 / Western European
UNKNOWN
RT_STRING
9
3.73856
422
Latin 1 / Western European
UNKNOWN
RT_STRING
10
3.55807
220
Latin 1 / Western European
UNKNOWN
RT_STRING
11
3.89762
1124
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start eb3b4267.exe client32.exe

Process information

PID
CMD
Path
Indicators
Parent process
3100"C:\Users\admin\AppData\Local\Temp\eb3b4267.exe" C:\Users\admin\AppData\Local\Temp\eb3b4267.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3032"C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe" C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
eb3b4267.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V12.50
Total events
423
Read events
410
Write events
13
Delete events
0

Modification events

(PID) Process:(3100) eb3b4267.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3100) eb3b4267.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3032) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3032) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3032) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3032) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3032) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3032) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3032) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
9
Suspicious files
1
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.initext
MD5:F189C9BE825C43E7BC601616FC7654C4
SHA256:6CC0D580DC462D27B45B7C86C830E164DD63C72907F17413A1BF5493478990C7
3032client32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\loca[1].htmtext
MD5:6DAC64567026079B97FA1743EE782647
SHA256:A383C47D372D763CC266852282C4CA327FB586543CA31E7ED5D794D646CC47DA
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lnklnk
MD5:58C7E908F9A00291DC5CA9C97909DF62
SHA256:5E8A673814ECF6896023CDB2C74F6C8DD1C7ED8AA132D9AE5431A1534B071AA6
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nsm_vpro.initext
MD5:3BE27483FDCDBF9EBAE93234785235E3
SHA256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\msvcr100.dllexecutable
MD5:0E37FBFA79D349D672456923EC5FBBE3
SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\AudioCapture.dllexecutable
MD5:771E97F76E213ED2D2B0B7C6639E1C68
SHA256:8AF1DD14B521D96D711B0EC5E1651D961B5F0D6AC18FBEE3EF66E065E9766F72
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NSM.initext
MD5:88B1DAB8F4FD1AE879685995C90BD902
SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\HTCTL32.DLLexecutable
MD5:2D3B207C8A48148296156E5725426C7F
SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcicapi.dllexecutable
MD5:DCDE2248D19C778A41AA165866DD52D0
SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
3100eb3b4267.exeC:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCICHEK.DLLexecutable
MD5:A0B9388C5F18E27266A31F8C5765B263
SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
client32.exe
GET
200
62.172.138.35:80
http://geo.netsupportsoftware.com/location/loca.asp
GB
text
15 b
suspicious
3032
client32.exe
POST
200
139.28.220.180:2061
http://139.28.220.180/fakeurl.htm
unknown
binary
159 b
suspicious
3032
client32.exe
POST
200
139.28.220.180:2061
http://139.28.220.180/fakeurl.htm
unknown
binary
61 b
suspicious
3032
client32.exe
POST
139.28.220.180:2061
http://139.28.220.180/fakeurl.htm
unknown
suspicious
3032
client32.exe
POST
139.28.220.180:2061
http://139.28.220.180/fakeurl.htm
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3032
client32.exe
139.28.220.180:2061
newnetgate1.info
suspicious
62.172.138.35:80
geo.netsupportsoftware.com
British Telecommunications PLC
GB
suspicious

DNS requests

Domain
IP
Reputation
newnetgate1.info
  • 139.28.220.180
unknown
geo.netsupportsoftware.com
  • 62.172.138.35
  • 195.171.92.116
suspicious

Threats

PID
Process
Class
Message
3032
client32.exe
A Network Trojan was detected
REMOTE [PTsecurity] NetSupport
3032
client32.exe
A Network Trojan was detected
REMOTE [PTsecurity] NetSupport
3032
client32.exe
A Network Trojan was detected
REMOTE [PTsecurity] NetSupport
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
eb3b4267.exe