MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf
SHA3-384 hash: 2a843d504cd66cfbb00f2eff7ba3d39adbd12a4718b4fab992a4fbd02e104fb5a48b207b455f95679fd4f4319391a716
SHA1 hash: 29966e6a643694af74bd2b5de019c6fdb9e4eab1
MD5 hash: ef971f0eb6dd2810eae97b269e175de5
humanhash: triple-pennsylvania-december-video
File name:Mono_Neutral9.07.4.msi
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'096'576 bytes
First seen:2026-06-24 11:25:12 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:DZFix3vZ5b+HLZ7J4PENo4dbK8derUKtsZKSdXe3xUu5YHNo7eqFrO5IUYZWfWD9:DeVZ5gt447p2uBe3xUu5YqZONYofX7Ox
TLSH T179E5338AB88CCBEFD24713B5B1D0E91904559E99741940ACA7B5FF2C6D30B14EA33DE1
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:176-65-144-133 msi NetSupport selopik-net voenast-net

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
Link:
https://research.acce.ciphertechsolutions.com/results/bdda41c0-56ec-41ae-b958-64c32a737035/
Detection:
NetSupport
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71819/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3bbebb1548daf709f96456
Tags:
netsup trojan virus hype
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug CAB expired-cert installer installer reconnaissance
Link:
https://www.filescan.io/uploads/6a3bbeb39799578a6c49a490/reports/eb430af5-fe61-41e2-a07a-4d4804f6c62f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf
Verdict:
Malicious
File Type:
msi
First seen:
2026-06-23T21:03:00Z UTC
Last seen:
2026-06-25T23:49:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.OLE2.Alien.gen Backdoor.RABased.HTTP.C&C HEUR:Trojan.Script.NetSup.gen RemoteAdmin.NetSup.HTTP.C&C not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen
Link:
https://opentip.kaspersky.com/38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf/results?tab=lookup
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1933102
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933102 Sample: Mono_Neutral9.07.4.msi Startdate: 24/06/2026 Architecture: WINDOWS Score: 60 49 voenast.net 2->49 53 Suricata IDS alerts for network traffic 2->53 9 explorer.exe 2->9         started        11 msiexec.exe 75 38 2->11         started        14 explorer.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 18 SecurityHealth.exe 1 4 9->18         started        45 C:\Users\user\AppData\Local\...\7z.exe, PE32 11->45 dropped 47 C:\Users\user\AppData\Local\...\7z.dll, PE32 11->47 dropped 22 msiexec.exe 1 1 11->22         started        24 SecurityHealth.exe 14->24         started        process6 dnsIp7 51 voenast.net 176.65.144.133, 443, 49702 DEDIK-CHGB Switzerland 18->51 55 Contains functionalty to change the wallpaper 18->55 57 Delayed program exit found 18->57 59 Contains functionality to detect sleep reduction / modifications 18->59 26 7z.exe 28 22->26         started        29 7z.exe 2 22->29         started        31 explorer.exe 22->31         started        signatures8 process9 file10 37 C:\ProgramData\...\SecurityHealth.exe, PE32 26->37 dropped 39 C:\ProgramData\MerryFlorist\remcmdstub.exe, PE32 26->39 dropped 41 C:\ProgramData\MerryFlorist\pcicapi.dll, PE32 26->41 dropped 43 18 other files (none is malicious) 26->43 dropped 33 conhost.exe 26->33         started        35 conhost.exe 29->35         started        process11
Score:
1%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf
Threat name:
Win32.Trojan.Yomal
Create hunting rule
Status:
Malicious
First seen:
2026-06-24 00:49:24 UTC
File Type:
Binary (Archive)
Extracted files:
110
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdwqmw5xhhralmv4yvi3hvvw4444rshqdpfuc2cgi7avpaezz6xq._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
error
NetSupport
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/260624-njlxbsbw6x/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Family: NetSupport
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38ed065bb739e205b2bcc551b3d6b6e739c8c8f01bcb41684647c1578099cfaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71819/

Comments