MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933
SHA3-384 hash: 1ff9d32dd9512403765baf43b8603429144a4c7397f9570ebd83c23d219107fe6d0233d2e7bd03e87771184b955badf3
SHA1 hash: 79765d3590989e43fbad965451b834bb5528f606
MD5 hash: 504a149b0f8dde44b9a716e1ffd1a0dc
humanhash: football-gee-rugby-utah
File name:IqtisodiyUZ.jar
Download: download sample
Signature NetSupport
Create hunting rule
File size:32'896 bytes
First seen:2026-03-18 21:36:34 UTC
Last seen:Never
File type:Java file jar
MIME type:application/java-archive
ssdeep 768:oL00tfvsq+7siVd2ZzeFD9Pa9kVcwmhyd1fS6Y/H:oqX7FTPAcRmK1fSr/H
TLSH T1CBE2F16AF0E7F5F5D63F263B0E8A12539838E50C33DB324905589DFC57D68E94A308A4
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter smica83
Tags:jar NetSupport

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.149.76.140:5222 https://threatfox.abuse.ch/ioc/1771109/

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
_2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933.zip
Verdict:
Malicious activity
Analysis date:
2026-03-18 21:38:19 UTC
Tags:
loader netsupport rmm-tool auto generic auto-startup auto-reg antivm tool
Link:
https://app.any.run/tasks/8eefcf2a-088f-4a84-871c-3f11bc90a996

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58027/
Gathering data
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bb1b0e88c80c01586bc8b9
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69bb1b0c2000fc76c3eaeaa4/reports/8e9c8bfc-1a10-41a0-8737-7b2f0ac8ecb1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933
Verdict:
Malicious
File Type:
jar
Link:
https://opentip.kaspersky.com/2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933/results?tab=lookup
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1886045
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Java Jar creates autostart registry key (Windows persistence behavior)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886045 Sample: IqtisodiyUZ.jar Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 62 harpsdesire.net 2->62 64 soliq-smart.com 2->64 66 geo.netsupportsoftware.com 2->66 74 Suricata IDS alerts for network traffic 2->74 76 Sigma detected: Drops script at startup location 2->76 78 Drops PE files to the document folder of the user 2->78 80 6 other signatures 2->80 10 cmd.exe 2 2->10         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        signatures3 process4 process5 18 java.exe 31 10->18         started        22 conhost.exe 10->22         started        24 cmd.exe 1 12->24         started        26 conhost.exe 12->26         started        28 client32.exe 14->28         started        30 conhost.exe 14->30         started        32 client32.exe 16->32         started        34 conhost.exe 16->34         started        dnsIp6 68 soliq-smart.com 84.32.84.246, 49689, 49690, 80 NTT-LT-ASLT Lithuania 18->68 54 C:\Users\user\Documents\...\tcctl32.dll, PE32 18->54 dropped 56 C:\Users\user\Documents\...\remcmdstub.exe, PE32 18->56 dropped 58 C:\Users\user\Documents\...\qwave.dll, PE32 18->58 dropped 60 17 other malicious files 18->60 dropped 36 cmd.exe 1 18->36         started        38 cmd.exe 1 18->38         started        40 client32.exe 24->40         started        file7 process8 process9 42 cmd.exe 1 36->42         started        44 conhost.exe 36->44         started        46 conhost.exe 38->46         started        48 reg.exe 1 1 38->48         started        process10 50 client32.exe 16 42->50         started        dnsIp11 70 harpsdesire.net 46.149.76.140, 49697, 5222 ASARTTELECOMRU Russian Federation 50->70 72 geo.netsupportsoftware.com 104.26.0.231, 49698, 49699, 49700 CLOUDFLARENETUS United States 50->72 82 Multi AV Scanner detection for dropped file 50->82 84 Contains functionalty to change the wallpaper 50->84 86 Delayed program exit found 50->86 88 Contains functionality to detect sleep reduction / modifications 50->88 signatures12
Score:
47%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/2de3804d3dc568d887800b02782b212eff8607e4f44db729079fa5f7930a8933
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxryatj5yvunrb4abmbhqkzbf37ymb7e6rg3okiht6s7peykrezq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260318-1glj1ady2y/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58027/

Comments