MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9
SHA3-384 hash: 1f3dae3148343d104e2a92bb00e43ca5aae4748c6be0ffcb25c846bd97c6202417a6da7e452066bf365416cb7ec6859b
SHA1 hash: 08f2a9c57f4949acf159119891ae73a6794deeb8
MD5 hash: 3dcbd063f29229a2089f2e1413e246c3
humanhash: twelve-social-beer-montana
File name:3DCBD063F29229A2089F2E1413E246C3.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'548'283 bytes
First seen:2025-07-21 16:45:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (59 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 98304:OxHXSbuDBlC1PZe4pj7ZluJzTEWoXvryySKGsCl0qc:OSoTSPJ1v4zTEpzyySKGsClVc
Threatray 950 similar samples on MalwareBazaar
TLSH T105F5F123E2CBA13FF06A4A364AB6D226543BBA6065124C6797EC385CCF361D41D3F647
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:91-84-106-175 exe NetSupport


Avatar
abuse_ch
NetSupport C2:
91.84.106.175:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.84.106.175:443 https://threatfox.abuse.ch/ioc/1559041/

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9.exe
Verdict:
Malicious activity
Analysis date:
2025-07-21 16:47:08 UTC
Tags:
rmm-tool netsupport remote auto-reg
Link:
https://app.any.run/tasks/ce73d324-51ca-4bc9-a1ab-3dd432bbf113

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16126/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687e6eb32f623871a5f14fc5
Tags:
vmdetect netsup
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for the window
Connection attempt
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint installer overlay overlay packed zero
Link:
https://www.filescan.io/uploads/687e6eb68a7d628a81ba717e/reports/b2fcee90-2653-4cee-9da9-d9cfca2c23b4/overview
Verdict:
Malicious
Labled as:
Trojan.NetSupport
Link:
https://www.hybrid-analysis.com/sample/335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dcef88d3-c790-4288-b450-dd20c3518123
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1741419
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1741419 Sample: SHdFxVYU21.exe Startdate: 21/07/2025 Architecture: WINDOWS Score: 76 44 geo.netsupportsoftware.com 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 10 SHdFxVYU21.exe 2 2->10         started        13 zoomregutil.exe 2->13         started        15 zoomregutil.exe 2->15         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\SHdFxVYU21.tmp, PE32 10->42 dropped 17 SHdFxVYU21.tmp 3 4 10->17         started        process6 file7 30 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->30 dropped 20 SHdFxVYU21.exe 2 17->20         started        process8 file9 32 C:\Users\user\AppData\...\SHdFxVYU21.tmp, PE32 20->32 dropped 23 SHdFxVYU21.tmp 6 15 20->23         started        process10 file11 34 C:\Users\user\...\zoomregutil.exe (copy), PE32 23->34 dropped 36 C:\Users\user\...\remcmdstub.exe (copy), PE32 23->36 dropped 38 C:\Users\user\AppData\...\pcicapi.dll (copy), PE32 23->38 dropped 40 14 other files (11 malicious) 23->40 dropped 26 zoomregutil.exe 17 23->26         started        process12 dnsIp13 46 91.84.106.175, 443, 49719 ECLIPSEGB United Kingdom 26->46 48 geo.netsupportsoftware.com 104.26.0.231, 49720, 80 CLOUDFLARENETUS United States 26->48 56 Contains functionalty to change the wallpaper 26->56 58 Delayed program exit found 26->58 60 Contains functionality to detect sleep reduction / modifications 26->60 signatures14
Score:
68%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/3dcbd063f29229a2089f2e1413e246c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9/
Verdict:
Malicious
Threat:
RemoteAdmin.Win32.NetSup
Link:
https://tip.neiki.dev/file/335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnodhmiq6svubf7g5cp54meoviw7vytz4uryueyb2ew7txytup4q._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
57d92ae16c8766995a28d8a6b9f579739324d9e090bea1ed0ed99a4ea8564933
NetSupport
868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d
NetSupport
8ab19998dc86c27d89cf727862b67a397c5fcba459c86dac1f3415985ff98604
NetSupport
d8d2092e174240d7bac63a9e1c199b442e1cb0f39d7fa32510b1aa7717c3ae38
NetSupport
e5502722c2bb84876903549445534c47cdaa586a0bb1e5b3a53162d75cc6cb28
NetSupport
e9723a2a9ca45787c35b864605a6be71ccf12b2d96dad8e7fc39117f7ba29abb
NetSupport
error
NetSupport
+ 940 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence rat
Link:
https://tria.ge/reports/250721-t9pc2asmy4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
RemoteAccessTool
YARA:
n/a
Link:
https://app.threat.zone/submission/1bd5f7ab-b863-4804-bba5-a1edb90c94d6
Unpacked files
SH256 hash:
335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9
MD5 hash:
3dcbd063f29229a2089f2e1413e246c3
SHA1 hash:
08f2a9c57f4949acf159119891ae73a6794deeb8
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
ac6b15d35dc5f5982cc9de04ec7df255c2c1ea23804280be5a2e3726324e719f
MD5 hash:
8a2846084440dd0c67f1d32c46addeb9
SHA1 hash:
4dbe9199ba516f8ab538319c31840ac60bddadca
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
f4c75f73c63f0134398f73380ac88e908a9e098ceb3e03f8b712ae41bd559398
MD5 hash:
3e239111f9c2dee95b0e91746b8a4e8d
SHA1 hash:
39206ef1047805f571db4347944fad7a9e31accf
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
fc627ad158394bbb457deb328b01a00b8a0419a683602a651c2d7dd21da5fccd
MD5 hash:
7559035d2915dd8b3bd5332297328160
SHA1 hash:
71a20a2f06e838a5bc7450583c780a0277a6a50b
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
502aea8533c43b3541d8566c66025f1f1656062ae24ed829c591ef1387e48267
MD5 hash:
379059cd248f49397be434e7555249ac
SHA1 hash:
940be4f9b900b56c5fc53ee6c72f24e975aa1bcc
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
cd996ea381ba79ef2c36b7bd61ec0605aa92f771735b6755378c6f848de1fcb4
MD5 hash:
0df3ea90cd76b1e92cba8f18ca8e7538
SHA1 hash:
d0769066ae61409e1d029025d5578451092dce1f
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
00f57b9910630a7049df821a39c733ca35763d9b11a58e8c0e52b06066a52643
MD5 hash:
46eacdca48274cc56965e2f11cc63d66
SHA1 hash:
305429533557823d54f1cb1766d080b7249b6d99
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
SH256 hash:
75344dc2802f3d542c1b00131d44910eb280b1edee116af082cf7ee8afd8f65e
MD5 hash:
c9a1f1b6c18c3212c9cdb2f71a16750b
SHA1 hash:
b25f9e2ebe9375802f94c66e5e2725aea207df97
Link:
https://www.unpac.me/results/3f726d22-d2c1-4a96-a6e7-0c0bca50dd38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16126/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments