MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41e0e743ebb23efb32a855e0ae610f2b49ba2e7d2e4f3f5f8f8f72c56e0ccd67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 10

Intelligence 10 IOCs YARA 55 File information Comments

SHA256 hash:	41e0e743ebb23efb32a855e0ae610f2b49ba2e7d2e4f3f5f8f8f72c56e0ccd67
SHA3-384 hash:	7027dbbbada144c6ac521094ce5258f6f23b7cf3020da4c03dc642c2712660f74db572ed8f46090210a372417bbed73f
SHA1 hash:	b2ecc8eabc96ae264a0a1720f8abfb4fcc6545ed
MD5 hash:	d3ad6944a121cdd90a0e458344e49e5a
humanhash:	network-shade-october-magazine
File name:	ZenithQuantum.zip
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	4'538'681 bytes
First seen:	2026-03-17 10:26:23 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	98304:ssDYz0f2bLxmDcvYvBgzNUWsvBwh7pq6q8WZ+Tz1v7u7Xo9c2j6W8Gkj:ssDgLUDcwvSzNUWsvBwT3BWa1v7yac2I
TLSH	T1142633B296E8FF43D61DFC682C7C2AE5332E1A8352E49EE44291838AF4771517E4F854
Magika	zip
Reporter	JAMESWT_WT
Tags:	client32 hotelupdatesys-com ini LIC mandatoryhotel-com NetSupport zip

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

File Archive Information

This file archive contains 20 file(s), sorted by their relevance:

File name:	nskbfltr.inf
File size:	328 bytes
SHA256 hash:	d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash:	26e28c01461f7e65c402bdf09923d435
MIME type:	application/x-setupscript
Signature	NetSupport

File name:	HTCTL32.DLL
File size:	323'912 bytes
SHA256 hash:	6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
MD5 hash:	051cdb6ac8e168d178e35489b6da4c74
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	string.txt
File size:	82 bytes
SHA256 hash:	24a0680ebb5eaa2d71f21305eaab0f489d0766831bece3e6b66b585c54bd1804
MD5 hash:	2f97f5e1ddd0a040b9b43cc8308355f9
MIME type:	application/octet-stream
Signature	NetSupport

File name:	TCCTL32.DLL
File size:	387'400 bytes
SHA256 hash:	6ffe12cdfe0a36dec4b4a40ecdafb4097b1af7c340b0fcecf9f5c67b7fa8b299
MD5 hash:	1e6e804ca71eaf5bef0abef95c578cf0
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	lnk.7z
File size:	1'375 bytes
SHA256 hash:	7c9d85c89949b43ef2fabcba580f8a308af3706db4d6b6ca1d8a626fc8a2149d
MD5 hash:	631e5b6951e8b6b16e23220cbba0e1f1
MIME type:	application/x-7z-compressed
Signature	NetSupport

File name:	NSM.ini
File size:	6'099 bytes
SHA256 hash:	e0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d
MD5 hash:	99f493dce7fab330dc47f0cab8fe6172
MIME type:	text/plain
Signature	NetSupport

File name:	Service.exe
File size:	120'256 bytes
SHA256 hash:	56ebaf8922749b9a9a7fa2575f691c53a6170662a8f747faeed11291d475c422
MD5 hash:	0e660f7e5a6621a9185a7b8080364500
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	7z.exe
File size:	303'480 bytes
SHA256 hash:	43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87
MD5 hash:	58712aacf6b0f8149c066bda3a034fc3
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	client32.ini
File size:	784 bytes
SHA256 hash:	b61a9fe03c1eaf48f1edb89f5933ca0a62c79f88810c9f5d5fa02538409b0ccf
MD5 hash:	42925e7e1f24c9941be3a8c02827c310
MIME type:	text/plain
Signature	NetSupport

File name:	AudioCapture.dll
File size:	89'416 bytes
SHA256 hash:	2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5
MD5 hash:	7629af8099b76f85d37b3802041503ee
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	PCICHEK.DLL
File size:	14'664 bytes
SHA256 hash:	0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
MD5 hash:	3aabcd7c81425b3b9327a2bf643251c6
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	msvcr100.dll
File size:	773'968 bytes
SHA256 hash:	8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash:	0e37fbfa79d349d672456923ec5fbbe3
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	pcicapi.dll
File size:	108'944 bytes
SHA256 hash:	2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
MD5 hash:	67c53a770390e8c038060a1921c20da9
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	at.7z
File size:	1'512'160 bytes
SHA256 hash:	c0f29ab0fe6f6912c8d059ece9872f8e98a4a905e4d66bba255bd0823595a1da
MD5 hash:	3aba858b8e1e02ee5ea2a2647c3c7347
MIME type:	application/x-7z-compressed
Signature	NetSupport

File name:	PCICL32.DLL
File size:	3'490'632 bytes
SHA256 hash:	b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80
MD5 hash:	e7b92529ea10176fe35ba73fa4edef74
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	NSM.LIC
File size:	251 bytes
SHA256 hash:	e09980d1b1c508eb29d2931ac92f8d0a7e49ca5fe6ab6277fabf097a0b033b63
MD5 hash:	5d7445efa8a5560842c868369127cd79
MIME type:	text/plain
Signature	NetSupport

File name:	nsm_vpro.ini
File size:	46 bytes
SHA256 hash:	4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
MD5 hash:	3be27483fdcdbf9ebae93234785235e3
MIME type:	text/plain
Signature	NetSupport

File name:	remcmdstub.exe
File size:	59'728 bytes
SHA256 hash:	b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2
MD5 hash:	5be6fb8f28544d4f83c25a2b76ff7890
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	7z.dll
File size:	1'151'864 bytes
SHA256 hash:	b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c
MD5 hash:	95c6515d88e9ea48a9b949a81c1dac4e
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	2
File size:	346 bytes
SHA256 hash:	49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e
MD5 hash:	24d3b502e1846356b0263f945ddd5529
MIME type:	text/plain
Signature	NetSupport

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6cd05b76-1264-4cd5-98af-c70e45725665/

Detection(s):

SecuriteInfo.com.W32.Agent.349E.tr.13276.10306.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.7376.24721.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.6705.12909.UNOFFICIAL

SecuriteInfo.com.Trojan.GenericKD.79705662.7494.19517.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.26785.29824.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.29128.13096.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.24227.28946.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.21425.23064.UNOFFICIAL

SecuriteInfo.com.Trojan.RA.587.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.305.6900.UNOFFICIAL

PUA.Win.Tool.NetSupport-10022498-8

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698c340338c84aca0d32d145

Tags:

injection netsup obfusc virus

Verdict:

Suspicious

Labled as:

Risk.RemoteAdmin

Link:

https://www.hybrid-analysis.com/sample/41e0e743ebb23efb32a855e0ae610f2b49ba2e7d2e4f3f5f8f8f72c56e0ccd67

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/41e0e743ebb23efb32a855e0ae610f2b49ba2e7d2e4f3f5f8f8f72c56e0ccd67

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Adware

File Type:

zip

Link:

https://opentip.kaspersky.com/41e0e743ebb23efb32a855e0ae610f2b49ba2e7d2e4f3f5f8f8f72c56e0ccd67/results?tab=lookup

Score:

82%

Verdict:

Malware

File Type:

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport discovery rat

Link:

https://tria.ge/reports/260317-qhesqscy5z/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/41e0e743ebb23efb32a855e0ae610f2b49ba2e7d2e4f3f5f8f8f72c56e0ccd67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NetSupportRAT_Config Create hunting rule
Author:	abuse.ch

Rule name:	Armadillov1xxv2xx Create hunting rule
Author:	malware-lu

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CHM_File_Executes_JS_Via_PowerShell Create hunting rule
Author:	daniyyell
Description:	Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NetSupport Create hunting rule
Author:	YungBinary
Description:	Detects NetSupport Manager RAT on disk or in memory

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample