Edit tour

Windows Analysis Report
client32.exe

Overview

General Information

Sample name:	client32.exe
Analysis ID:	1427727
MD5:	aca274219070da800e92a8cae61235bc
SHA1:	7347b65bb6eaf0931220bb201c39a66206f0d2c4
SHA256:	21903b51f23f7af681a9f69aa066753b202af6c537b97a247d98cfbdec150d63
Infos:

Detection

NetSupport RAT

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Program does not show much activity (idle)

Uses 32bit PE files

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

client32.exe (PID: 3380 cmdline: "C:\Users\user\Desktop\client32.exe" MD5: ACA274219070DA800E92A8CAE61235BC)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.3259078963.0000000000812000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000000.2010301615.0000000000812000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 3380	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.client32.exe.810000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0.0.client32.exe.810000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: client32.exe	ReversingLabs: Detection: 29%
Source: client32.exe	Virustotal: Detection: 22%			Perma Link

Source: client32.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: client32.exe

Static PE information: certificate valid

Source: client32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: E:\nsmsrc\nsm\1250\1250\client32\release_unicode\client32.pdb source: client32.exe

Source: client32.exe	String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: client32.exe	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: client32.exe	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: client32.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: client32.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: client32.exe	String found in binary or memory: https://www.globalsign.com/repository/06

Source: client32.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: client32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\client32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: client32.exe	ReversingLabs: Detection: 29%
Source: client32.exe	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\client32.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\client32.exe	Section loaded: pcicl32.dll			Jump to behavior

Source: client32.exe

Static PE information: certificate valid

Source: client32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: client32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\nsmsrc\nsm\1250\1250\client32\release_unicode\client32.pdb source: client32.exe

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Yara match	File source: client32.exe, type: SAMPLE
Source: Yara match	File source: 0.2.client32.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.client32.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3259078963.0000000000812000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2010301615.0000000000812000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 3380, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
client32.exe	29%	ReversingLabs	Win32.Trojan.NetSupport
client32.exe	23%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427727
Start date and time:	2024-04-18 02:15:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	client32.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target client32.exe, PID 3380 because there are no executed function

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.8230936527915764
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	client32.exe
File size:	101'720 bytes
MD5:	aca274219070da800e92a8cae61235bc
SHA1:	7347b65bb6eaf0931220bb201c39a66206f0d2c4
SHA256:	21903b51f23f7af681a9f69aa066753b202af6c537b97a247d98cfbdec150d63
SHA512:	08df88938059e7324b755c3bc88d8943aaaf6f9244c748f521b265fd0417750e067cff077875d0168a440ad0b5fd3c1b0fa4dd5335bd707d4bf3b07e6c6ede2a
SSDEEP:	768:qHcHeEYjB9aFIrdXrY/TEqMVnYYEFwGxDrLabMiF:qHHF9qEGMVntqxUn
TLSH:	26A3E5C2BB74E917C6104A75BDE7CB825B31EE4C5E41034B3269B22E6EB23912F911DD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6....i..6....i..6....i.Rich..i.........................PE..L...y.(Y...................

File Icon


Icon Hash:	cecfcd94dde7bb19

Static PE Info

General

Entrypoint:	0x401020
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59281079 [Fri May 26 11:24:41 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a9d50692e95b79723f3e76fcf70d023e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	03/09/2015 17:59:22 22/11/2018 16:54:36
Subject Chain	E=jeff@crosstecsoftware.com, CN=CrossTec Corporation, O=CrossTec Corporation, L=Boca Raton, S=Florida, C=US
Version:	3
Thumbprint MD5:	B7DFD3D9B8D7D9C986A8F88389BD0EF9
Thumbprint SHA-1:	6A09E5F94BB1CAF69FEC26C82A59FE2FF18D5DCF
Thumbprint SHA-256:	50F16423FFF4CD956E60E1AE8F3EAFFEAAA16C94A4AC3592196AF2682178D225
Serial:	112187B39871EA55E92E60A8A63192DD60F0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 44h
push esi
call dword ptr [00402000h]
mov esi, eax
cmp word ptr [esi], 0022h
jne 00007F574881F56Dh
movzx eax, word ptr [esi+02h]
add esi, 02h
test ax, ax
je 00007F574881F504h
cmp ax, 0022h
je 00007F574881F504h
movzx eax, word ptr [esi+02h]
add esi, 02h
test ax, ax
jne 00007F574881F4E0h
cmp word ptr [esi], 0022h
jne 00007F574881F4F5h
add esi, 02h
movzx eax, word ptr [esi]
test ax, ax
je 00007F574881F504h
cmp ax, 0020h
jnbe 00007F574881F4FEh
movzx eax, word ptr [esi+02h]
add esi, 02h
test ax, ax
jne 00007F574881F4E0h
lea eax, dword ptr [ebp-44h]
push eax
mov dword ptr [ebp-18h], 00000000h
call dword ptr [0040200Ch]
test byte ptr [ebp-18h], 00000001h
movzx eax, word ptr [ebp-14h]
jne 00007F574881F4F7h
mov eax, 0000000Ah
push eax
push esi
push 00000000h
push 00000000h
call dword ptr [00402008h]
push eax
call 00007F574881F44Dh
push eax
call dword ptr [00402004h]
nop
cmp word ptr [esi], 0020h
jbe 00007F574881F498h
add esi, 02h
jmp 00007F574881F4E7h
int3
jmp dword ptr [00402014h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3000	0x15b4e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x16600	0x2758
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19000	0x14	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2020	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc2	0x200	efcbf92d415cfae731d1c67478ce3d77	False	0.318359375	data	2.779985066068698	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x15e	0x200	b9d7066f6934c2aa62f67081486ffb39	False	0.466796875	data	3.5469114648860116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3000	0x15b4e	0x15c00	316f6f6a3c2a8baeef58dbac82c3c962	False	0.20825475933908047	data	3.1761950054863735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x19000	0x6c	0x200	da7573abc792074954984239f14c673e	False	0.060546875	data	0.22167620545804623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3268	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.3370938628158845
RT_ICON	0x3b10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.14523121387283236
RT_ICON	0x4078	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.16356618951851415
RT_ICON	0x148a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.35217842323651455
RT_ICON	0x16e48	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.4519230769230769
RT_ICON	0x17ef0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.21365248226950354
RT_STRING	0x18358	0x62	data	0.7142857142857143
RT_GROUP_ICON	0x183bc	0x5a	data	0.7444444444444445
RT_VERSION	0x18418	0x3a4	data	0.4624463519313305
RT_MANIFEST	0x187bc	0x392	XML 1.0 document, ASCII text, with CRLF line terminators	0.4649890590809628

Imports

DLL	Import
PCICL32.dll	_NSMClient32@8
KERNEL32.dll	GetCommandLineW, ExitProcess, GetModuleHandleW, GetStartupInfoW

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: client32.exePID: 3380, Parent PID: 1028

General

Target ID:	0
Start time:	02:16:40
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\client32.exe"
Imagebase:	0x810000
File size:	101'720 bytes
MD5 hash:	ACA274219070DA800E92A8CAE61235BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000002.3259078963.0000000000812000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000000.2010301615.0000000000812000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: client32.exePID: 3380, Parent PID: 1028COMMON

Non-executed Functions

Function 00811020 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00811027
GetStartupInfoW.KERNEL32(?), ref: 00811081
GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?), ref: 0081109C
ExitProcess.KERNEL32 ref: 008110A9

Memory Dump Source

Source File: 00000000.00000002.3259057349.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.3259035235.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3259078963.0000000000812000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3259100720.0000000000813000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3259100720.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 86d86ab592e66696011cc161e91851c8ca9bb1d801e9b141e0e2ebcb2c82d826
Instruction ID: 3b458917a39726e8aa7e42f2fa86c1f2601a3b5db0f9434b942ac0c7aed8b06b
Opcode Fuzzy Hash: 86d86ab592e66696011cc161e91851c8ca9bb1d801e9b141e0e2ebcb2c82d826
Instruction Fuzzy Hash: 6701C069C00BA596DF306B94880D3FB76BCFF18781F118015EECAE3181E7644CD1C2A9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report client32.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: client32.exePID: 3380, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: client32.exePID: 3380, Parent PID: 1028COMMON

Non-executed Functions

Function 00811020 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Windows Analysis Report
client32.exe