Windows
Analysis Report
client32.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- client32.exe (PID: 3380 cmdline:
"C:\Users\ user\Deskt op\client3 2.exe" MD5: ACA274219070DA800E92A8CAE61235BC)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
29% | ReversingLabs | Win32.Trojan.NetSupport | ||
23% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1427727 |
Start date and time: | 2024-04-18 02:15:53 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | client32.exe |
Detection: | MAL |
Classification: | mal48.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target client32.exe, PID 3380 because there are no executed function
File type: | |
Entropy (8bit): | 3.8230936527915764 |
TrID: |
|
File name: | client32.exe |
File size: | 101'720 bytes |
MD5: | aca274219070da800e92a8cae61235bc |
SHA1: | 7347b65bb6eaf0931220bb201c39a66206f0d2c4 |
SHA256: | 21903b51f23f7af681a9f69aa066753b202af6c537b97a247d98cfbdec150d63 |
SHA512: | 08df88938059e7324b755c3bc88d8943aaaf6f9244c748f521b265fd0417750e067cff077875d0168a440ad0b5fd3c1b0fa4dd5335bd707d4bf3b07e6c6ede2a |
SSDEEP: | 768:qHcHeEYjB9aFIrdXrY/TEqMVnYYEFwGxDrLabMiF:qHHF9qEGMVntqxUn |
TLSH: | 26A3E5C2BB74E917C6104A75BDE7CB825B31EE4C5E41034B3269B22E6EB23912F911DD |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6....i..6....i..6....i.Rich..i.........................PE..L...y.(Y................... |
Icon Hash: | cecfcd94dde7bb19 |
Entrypoint: | 0x401020 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x59281079 [Fri May 26 11:24:41 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | a9d50692e95b79723f3e76fcf70d023e |
Signature Valid: | true |
Signature Issuer: | CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | B7DFD3D9B8D7D9C986A8F88389BD0EF9 |
Thumbprint SHA-1: | 6A09E5F94BB1CAF69FEC26C82A59FE2FF18D5DCF |
Thumbprint SHA-256: | 50F16423FFF4CD956E60E1AE8F3EAFFEAAA16C94A4AC3592196AF2682178D225 |
Serial: | 112187B39871EA55E92E60A8A63192DD60F0 |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 44h |
push esi |
call dword ptr [00402000h] |
mov esi, eax |
cmp word ptr [esi], 0022h |
jne 00007F574881F56Dh |
movzx eax, word ptr [esi+02h] |
add esi, 02h |
test ax, ax |
je 00007F574881F504h |
cmp ax, 0022h |
je 00007F574881F504h |
movzx eax, word ptr [esi+02h] |
add esi, 02h |
test ax, ax |
jne 00007F574881F4E0h |
cmp word ptr [esi], 0022h |
jne 00007F574881F4F5h |
add esi, 02h |
movzx eax, word ptr [esi] |
test ax, ax |
je 00007F574881F504h |
cmp ax, 0020h |
jnbe 00007F574881F4FEh |
movzx eax, word ptr [esi+02h] |
add esi, 02h |
test ax, ax |
jne 00007F574881F4E0h |
lea eax, dword ptr [ebp-44h] |
push eax |
mov dword ptr [ebp-18h], 00000000h |
call dword ptr [0040200Ch] |
test byte ptr [ebp-18h], 00000001h |
movzx eax, word ptr [ebp-14h] |
jne 00007F574881F4F7h |
mov eax, 0000000Ah |
push eax |
push esi |
push 00000000h |
push 00000000h |
call dword ptr [00402008h] |
push eax |
call 00007F574881F44Dh |
push eax |
call dword ptr [00402004h] |
nop |
cmp word ptr [esi], 0020h |
jbe 00007F574881F498h |
add esi, 02h |
jmp 00007F574881F4E7h |
int3 |
jmp dword ptr [00402014h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x203c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3000 | 0x15b4e | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x16600 | 0x2758 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x19000 | 0x14 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2020 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xc2 | 0x200 | efcbf92d415cfae731d1c67478ce3d77 | False | 0.318359375 | data | 2.779985066068698 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0x15e | 0x200 | b9d7066f6934c2aa62f67081486ffb39 | False | 0.466796875 | data | 3.5469114648860116 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x3000 | 0x15b4e | 0x15c00 | 316f6f6a3c2a8baeef58dbac82c3c962 | False | 0.20825475933908047 | data | 3.1761950054863735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x19000 | 0x6c | 0x200 | da7573abc792074954984239f14c673e | False | 0.060546875 | data | 0.22167620545804623 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x3268 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | 0.3370938628158845 | ||
RT_ICON | 0x3b10 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | 0.14523121387283236 | ||
RT_ICON | 0x4078 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | 0.16356618951851415 | ||
RT_ICON | 0x148a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.35217842323651455 | ||
RT_ICON | 0x16e48 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.4519230769230769 | ||
RT_ICON | 0x17ef0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.21365248226950354 | ||
RT_STRING | 0x18358 | 0x62 | data | 0.7142857142857143 | ||
RT_GROUP_ICON | 0x183bc | 0x5a | data | 0.7444444444444445 | ||
RT_VERSION | 0x18418 | 0x3a4 | data | 0.4624463519313305 | ||
RT_MANIFEST | 0x187bc | 0x392 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.4649890590809628 |
DLL | Import |
---|---|
PCICL32.dll | _NSMClient32@8 |
KERNEL32.dll | GetCommandLineW, ExitProcess, GetModuleHandleW, GetStartupInfoW |
Target ID: | 0 |
Start time: | 02:16:40 |
Start date: | 18/04/2024 |
Path: | C:\Users\user\Desktop\client32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x810000 |
File size: | 101'720 bytes |
MD5 hash: | ACA274219070DA800E92A8CAE61235BC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Function 00811020 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |